Cybercriminals using GDPR implementation to scam Airbnb clients

The GDPR change makes organizations to spread thousands of emails

Since EU General Data Protection Regulation^[1] (GDPR) is planned to be implemented on 25 May 2018, hundreds of companies and organizations are in a hurry to update their privacy policies. This new law is expected to expand users' rights and put more pressure on companies that handle personal information by making them more accountable for data protection. As a result, millions of companies have started informing their users about these changes and also urging them to accept their new Privacy policies.

Unfortunately, cybercriminals are also aware of the fact that the new data protection regulation is about to show up. According to the latest reports, they have started using this data protection act to scam users and trick them into giving away their names, addresses, credit card details and other personal information with the help of malicious phishing emails.

One of such examples was discovered by cyber security experts from Redscan.^[2] It seems that they were lucky to discover a new string of phishing emails that use Airbnb’s name to extort the valuable information.

Criminals are using social engineering to make their fake email look genuine

According to Mark Nicholls, the director of cyber security, these Airbnb scams have mainly been targeting business addresses which are believed to be obtained online. Cybercrooks are aware of the fact that many firms are expecting these sort of emails to arrive; therefore, it becomes much easier to trick their employees and steal their personal data.

The fraudulent email looks quite similar to the one sent by Airbnb and claims that, due to GDPR implementation, users need to accept new privacy policy. Otherwise, their bookings and messages will not be accepted. In addition, victims are prompted to click on “Click here to accept the new Privacy Policy” link at the end of the message.

If they proceed, they are asked to enter account information and credit card details. Even if the login screen might seem legitimate, it is entirely fake and was cleverly designed by malicious actors. Unfortunately, many users are expected to click the link straight away because the whole email's design looks genuine. However, upon more detailed inspection, one can notice that the domain used by crooks is not correct – they use @mail.airbnb.work instead of @airbnb.com. Additionally, the original email includes much more detail about the GDPR change and does not require customers to enter their credentials.

Phishing email streak is most likely to continue

Airbnb encouraged all users to report the fraud and forward the email to report.phishing@airbnb.com. Additionally, the company provided some tips^[3] on how the phishing email can be spotted.

However, as the deadline is getting closer, it is believed that cybercriminals will continue abusing high profile organizations and popular brands to trick users and obtain their data. Furthermore, malicious spam email authors might use General Data Protection Regulation change to spread malware, including ransomware or ever-more-popular coin miners,^[4] in order to extort money or data our of users. Beware that stolen data might be used for illegal activities, such as money snatching, identity theft,^[5] etc.