Threat Research

Airbnb scam sends you to a fake Tripadvisor site, takes your money | Malwarebytes

Securonix

Malwarebytes researchers describe an Airbnb scam where attackers lure victims to a fake TripAdvisor page to book and pay for an Amsterdam property. The fraud relies on impersonation, shortened URLs, and spoofed emails, with Malwarebytes Browser Guard warning users. #Tripadvisor #MailerFX

Keypoints

  • A co-worker encountered a scam while booking an Amsterdam apartment advertised on Airbnb, with the owner asking to contact by email.
  • The scammer claimed bookings should go through Tripadvisor due to supposed Airbnb issues and higher Airbnb fees.
  • Emails included two shortened URLs that supposedly linked to the same property, used to redirect victims to a fake site.
  • The sender email appeared as [email protected], not a Tripadvisor address, signaling impersonation.
  • A fake Tripadvisor site redirected Stefan to a fraudulent booking flow; Malwarebytes Browser Guard warned against continuing.
  • Researchers identified a large campaign with hundreds of related sites (about 220), including patterns like tripadvisor-pre-approved… and airbnb-pre-approved… domains.
  • Practical tips to avoid scams include verifying links, booking on the official platform, not rushing, and keeping software updated.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – An email uses shortened URLs to direct the target to a counterfeit booking site. Quote: “Included in the mail were two shortened URLs which the owner claimed linked directly to the same property.”
  • [T1036] Masquerading – The scam impersonates legitimate services (Tripadvisor/Airbnb) and uses a deceptive sender address to appear legitimate. Quote: “The sender email showed up as ‘[email protected]’ — not exactly the email address you’d expect from Tripadvisor itself.”

Indicators of Compromise

  • [Email] context – [email protected]
  • [URL] context – https://tripadvisor-pre-approved-7f18-4bf6-8470-a6d44541e783.tynoli.cfd/d07f/luxury-apartment-for-rent-in-amsterdam/f47fde
  • [URL] context – tinyurl.com (URL shortening used to obfuscate landing page)
  • [Domain] context – tynoli.cfd, mucolg.buzz

Read more: https://www.malwarebytes.com/blog/news/2024/02/airbnb-scam-sends-you-to-a-fake-tripadvisor-site-takes-your-money

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint