from Hacker News

Ask HN: Tracking down fake Airbnb owner

by asdojasdosadsa on 3/6/20, 1:00 PM with 10 comments

Case: Not so technical colleague got scammed for 2 months rent. What can he do?

Steps: 1. He found apartment listing on immobiliare.it

2. Some emails were exchanged

3. He receives the link to the _real_ airbnb listing

4. He cant find it there, and the scammer sends the phishing page[1] (from @expertdesigner.eu)

5. Soon after he receives another email saying that the database is down from @airbnb.sa.com and he should meanwhile move the money using transferwise.com

6. Payment done

7. Scammer replies: Payment received

The login page was quite well made, and I think most of non technical people might get fooled

[1] The URL: https://airbnb.com-itinerary.app/rooms/762837232/files/login.php?id=572465&locale=en&sale=203&

Thoughts?

  • by gus_massa on 3/6/20, 1:24 PM

    The title is slightly confusing. Note that it is a ((fake Airbnb) owner), not a (fake (Airbnb owner)).

  • by nwsm on 3/6/20, 2:12 PM

    I don't have any advice but I hope they are able to recover their money. Shitty people like that are why some US states like Massachusetts now require all renters to find apartments through a registered broker. Sounds nice and safe but it ended up in me paying 4 months rent to get a new apartment. (2 months rent + security deposit + broker fee which was over a month's rent)

  • by dfyr on 3/7/20, 4:40 AM

    There's more to it, more php machinery, but in short:

    Basic Info

    - username at home dir: comitin1 - LiteSpeed server - SERVER_ADMIN=webmaster@airbnb.com-itinerary.app - English not first language

    - Sends over location, victim ip-port pair, protocol, client, TLS encryption suite

    Client (Victim):

    From main.html:

    POST /transaction.php?id=1 --> transaction.html

    POST /transaction-process.php --> attacker no longer cares...empty response body

    Admin

    https://airbnb.com-itinerary.app/rooms/762837232/files/manag...

    Login with POST /index.php with username and password

    There is a whole interface for easy management of properties, with its own UI! It does proper client and server-side validation of inputs, uses a set of images of houses and hosters.

    POST /process-data.php

    POST /send-discount.php for a particular property id

    POST /edit-discount-process.php

  • by sonicxxg on 3/6/20, 2:20 PM

    Is "Not so technical" euphemism for naive? This sucks, but also seems like a low effort scam.

  • by philpem on 3/6/20, 1:07 PM

    This is gonna sound a bit granny-suck-eggs... but I hope your friend reported it to the police?