News broke this week that criminals are attempting to trick Airbnb users into handing over passwords and credit card details by taking advantage of the flood of emails being sent out ahead of the new European General Data Protection Regulation. The email included the following message:
“This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States-based companies, like Airbnb in order to protect European citizens and companies,” the message said, according to the Redscan researchers who uncovered the scam. The emails seem to be directed to business addresses.”
With the GDPR deadline set at the end of this month, cyber criminals seem to be using this as a ploy to unleash new attacks to dupe unsuspecting victims.
We spoke to cybersecurity experts to gain their thoughts on phishing, protective measures against scams and advice to unfortunate victims in light of the latest scam.
Tim Helming, director of product management at DomainTools said:
“Cybercriminals are just as attentive as the rest of us to the news, and GDPR has been difficult to escape for the last year. As consumers receive more and more legitimate emails from brands engaging with best practices in advance of GDPR, it only follows as logical (and somewhat ironic) that scammers would take advantage of this. Phishers thrive on a lack of caution from their targets, so masking a scam as part of a legitimate flurry of emails comes as no surprise. Users who receive a GDPR email should be aware that personal details or credit card information should not be handed over, in any scenario, as part of an organization moving towards a GDPR compliant policy.”
Paul Edon, technical director at Tripwire added:
“Hackers are getting better at creating ways to trick users, and this attack on Airbnb customers is evident of that. Phishing campaigns are extremely popular and aim to dupe people into giving away personal and financial information, which is why individuals should be vigilant of the links and attachments sent to them. If you believe it could be suspicious then avoid interacting. However, malicious cyber criminals are preying on human naivety which is why these attacks continue to be used. Granted, it is becoming difficult to track malicious attackers as they are getting better at mimicking valid content from reputable organisations. The best way people can help avoid future attacks is by educating themselves about the risks and consequences of clicking unknown links and attachments. Regardless of whether you believe the email to be legitimate or not, never click on inbuilt links. Always open your own web browser and log in to your account on the official website. If there is a legitimate requirement for you to update or re-enter information, it should be referenced within your specific account instance.”
Martin Jartelius, CSO at Outpost24 stated:
In modern phishing attacks, advice such as “look for fake email addresses” no longer holds true. Companies with more advanced technologies will be able to detect email spoofs accurately, otherwise, there is nothing that prevents a sender from pretending to be someone else. Follow the advice to never trust an email based on its listed sender address.
Also, these emails only become a risk when an answer is expected via the reply-to email or a link click. So if you receive a suspicious email, open your browser and log in to your account yourself, do not use the links in the email. This way, you are in control of what is happening and what page you are visiting.
The best way for organizations to mitigate phishing attempts is to ensure users details (such as registered emails) are not exposed publicly in the first place, and use available technologies such as SPF, DKIM and DMARC to ensure that email validity can be checked and verified.
But as phishing does not rely on an organization’s servers, IT systems or staff, it is very hard to eliminate it completely. For users who have fallen victim to the scam – change your credentials (login and passwords) for any affected accounts; contact your bank and review billing history if your payment detail is compromised; and if it was just general information, consider it a lesson learnt and act with more care in the future.
Javvad Malik, security advocate at AlienVault claimed:
When it comes to phishing scams, criminals can get very creative in crafting emails which are difficult to distinguish from the real thing.
It is why making users aware of such scams and training them on how to spot them, and report them, can go a long way in reducing the chances of getting stung.
Additionally, companies should look to have threat intelligence which can provide updates on the latest phishing scams and the indicators to look out for to prevent them infiltrating the organisation.