Riverbank Ruminations: Vacation

Observations from the banks of the technology river

Last year we finally took a vacation to Hawaii. My wife did the search for accommodations and arranged the places we were going to stay. Part of what we wanted to see was the erupting volcano on the island of Hawaii. We have seen it on other trips but the action had always been pretty mild. In 2018 the volcano was very active and we were hoping to get a view of the action by renting a nearby property via Airbnb. Three weeks after we sent our deposit, we received notice that we were being refunded – over 700 homes were destroyed in one development. The rental we booked was either one of those houses, or was in an area that was no longer accessible. We stayed on the other side of the island, and had a good trip. So what does that have to do with security?

Unlike some people, we actually rented (or tried to rent) from the real Airbnb. The online article ‘Land Lordz’ Service Powers Airbnb Scams by Brian Krebs details a scam involving a fake Airbnb site. What makes this sad is this statement:

People who lose money in these scams fail big time on two things. First, they fail to notice they are not on airbnb.com. More importantly, they end up wiring money to secure the promise of a fake apartment or home in another country, and the thieves cut off all communications at that point.

Let’s examine that statement. I don’t know how the victims got to the bad web page but the article states that one URL used by the scammers was airbnb.longterm-airbnb.co.uk. The actual URL that should be used is www.Airbnb.co.uk or www.airbnb.com/s/United-Kingdom-England. Now for US travelers, the first step would be typing www.airbnb.com into a browser and thus being sure they were on the right page. Putting England in the search criteria there gets things started. Interestingly, using the Airbnb.co.uk URL (at least from my computer) takes me to an Airbnb page that displays Airbnb, Inc. [US] in the address bar where you can click to get certificate information. The cert is for Airbnb in the US which is actually what you would want to see for a US company.

Now for the interesting part. The aforementioned article is describing a scam that is facilitated by a SaaS (Software as a Service) called “Land Lordz”. This is just another entry in services that are provided for scammers either too inexperienced or too lazy to do the work necessary. For $550 per month a Land Lordz “basic plan” subscription at landlordz.site that helps him manage more than 500 scam properties and interactions with up to 100 (soon-to-be-scammed) “guests” looking to book the fake listings.

This service helps ‘manage’ all the properties and the correspondence between the ‘landlord’ and the renters. As you might imagine, the potential for profit is quite large, the risk minimal. Brian Krebs also mentions this article about someone who ALMOST got scammed. From that article:

Then we noticed that the URL of the listing was a little bit off. It showed “www.airbnb.com-request-booking.space/booking/…”. We were a bit confused by this, but as the URL started with “www.airbnb.com” I figured there was no way it could be a SPAM site.

It was my understanding that if the URL started with the proper brand with a dot com, it had to be authentic.

Here we see a misunderstanding about how URLs work. Do you understand them? In my security awareness training sessions, one basic concept that I want to make sure everyone understands is what part of the URL is important and what is not important in determining if a URL is good or bad. Let’s look at the URL in question:

1. Find the top level domain by locating the first “/” of the URL, then the first “.” to the left of it. In this example, it’s “.space” not “.com”
2. Find the “.” to the left of the “.” in Step 1. This is the entity you’re connecting to. In this example, it’s “com-request-booking.space” – not “airbnb.com”
3. Understand that what comes before that second period is not helpful in determining legitimacy–it can be anything. It does not have to be “www” to be valid.

What both of these examples illustrate is the need to make sure your mind does not go on vacation when browsing the web. Always check the URL, ESPECIALLY if you are clicking on a link. You should ALWAYS hover over a link to see where you are going. Links can be very different from what they display. You see this all the time when there is a button labeled “Click here for more information” on a web page. Stay alert when going online so you are not like this person mentioned in Brian Krebs’ article,

this poor sucker, who paid $1,200 in exchange for a piece of paper which promised they’d hand over keys to the apartment at a specific date (Spoiler alert: he didn’t get any keys).

A knowledgeable team is always your best defense from online scams. Contact Ashton Technology Solutions if you’d like help training your team.