Hackers took control of my airbnb account - here is how it happens

This week was the victim of a Russian hacker who got my email and password thru a phishing scam.

She got access to my account (login history says from St Petersburg Russian) and:

  • turned off all notification alerts so I would not be informed of what she was doing,
  • posted 2 fake apartments in my area (photos, description, everything!) on instant booking on my profile,
  • switched my listings all to instant booking
  • and was in the process of changing my email and password when luckily I was just in time to stop her.

Then (as revenge? or to distract me from what she was doing on airbnb? ) she destroyed my main email account, enrolling it into thousands of websites per minute so I get thousands of spams per hour the email must be closed down.

Here is the detailed story of what happened, please read, it can happen to you.

I am tech savvy and very prudent. I fell for this due to the airbnb pressure to respond quickly to inquiries and use my phone to respond instead of waiting till I’m home to use the computer.

(1) Phishing

After landing from a trip I noticed an inquiry from a guest “Camilla” . She wanted to book my place but she saw another with identical photos and wanted to check it was not a scam. She included an airbnb link in her inquiry to another listing. Since it was an internal airbnb link I thought I should check. I clicked on the link and it took me to the airbnb home page (so I thought). It was a phishing site that looked exactly like the airbnb login page. On the small screen of my phone I couldn’t see the url and I couldn’t see the imperfections of the fake airbnb website. I stupidly filled in my email and password. Of course it took me nowhere, so I did it again. Duh, duh, duh.

I’m sure if I had taken the time to do this on my computer at home I would have realized that this was a fishing site.

The URL was exactly like airbnb: https://www.airbnb.com/rooms/2222xxxxx?preview_for_ml=true&guests=1&adults=1 EXCEPT there was an accent over the N in airbnb like a spanish tilde, which I only noticed afterwards.

(2) Camilla now has my airbnb user and password First thing she does is send me another little request asking if I accept pets. Ha!

(3) Deactivating notifications

Next thing Camilla does is deactivate every possible notification, on the settings page, so that I do not receive any email or text messages as she starts modifying all the other parameters of my account.

(4) Created fake postings and switch everything to instant book

She created two fake listings with photos, description, all the parameters up and on instant booking of course. She copied my apartment names and gave similar names to these fake listings.

She switched all of my REAL listings to instant book.

(5) Changed email associated with airbnb account

Camilla waited a bit perhaps to see if I was going to notice. I didn’t!
Next day, she changed the email associated with my account to a new email that she created on mail.com to emulate my email.

Lets say my email is xxx.yyy@gmail.com, she created an email called xxx.yyy@mail.com. Obviously close to the original so an inattentive person would not even notice it!

(6) Spamming - revenge or distraction?

Almost immediately after changing my airbnb password AND messaging airbnb support, who did call back immediately, I started getting hundreds of spam on my email account.

Camilla had used my airbnb email to sign me up for thousands of newsletters, enroll me in forums, sign me up for appointments, free tests, whatever… hundreds of spam start flowing into my main email account.

That account is now impossible to use, I had to shut it down and spend 3 days managing this problem.

The hundreds of spam would also make it difficult for me to spot Airbnb support messages or notifications.

(7) Payout and Paypal account.

Camilla obviously saw everything in my account, my payout details, etc.
She was able to see that I had a paypal account linked to the airbnb email.
LUCKILY I have different password on that paypal account! Everybody, go change your paypal password if it is the same as any other website!

Post Script: I suspect “Camilla” might have actually been a GUEST at my apartment, a group of 3 Russians rented my place last month on BOOKING.com. They had strange behaviour, I’ve never had guests so messy and careless and unpleasant. After they were gone I thought perhaps the internet router had been tampered with. One of the guests has the same name and physical appearance as a professional computer programmer managing director at a russian “computer game” company (ie, troll farm), found on LinkedIn. They also paid the security deposit cash claiming they didn’t have access to Paypal (!) and had me reimburse it on their Cyprus bank account (!) so now they know one of my account numbers.

1 Like

Oh dear @lililou1 all these problem guests and now this.

It’s a fairly well known scam on Airbnb that you get an inquiry from a ‘guest’ to say they see your listing advertised cheaper elsewhere.

I think Airbnb could do more to make guests and hosts aware of the more common scams out there,

2 Likes

Wow that’s an awful story. So sorry that you had to go through all 9f this. Thank you for sharing this.

1 Like

I never heard of it! But now I know!

I also can’t believe I fell for the phishing fake website with password but it was because it was on my phone, small screen, and pressure to answer quick.

2 Likes

@lililou1

Thank you for sharing your story. I truly hate it happened. I hate you were a target.

Interesting information about the router.

It was kind and brave of you to share your story. Kind to help other hosts know what is occurring. Brave because there are too many people who blame the victim.

I hope you are able to get your accounts back to normal as quickly & easily as possible.

2 Likes

I wonder if the purpose was to pull off something like this person experiened?

2 Likes

Thank you so much for sharing your story and all the details of exactly what happened after your account was taken over. I received a similar phishing scam many years ago through Airbnb. The person said she was trying to book a place for a surprise for her boyfriend or something like that. And then asked if we could move email to her workplace email because they shared the aBB account or something and she didn’t want him to see it? No problem. I will correspond with her at work…I don’t care.

Then after some back and forth she sent her reply saying she has been looking at a bunch of places and before she books mine she wants to be sure that she has the correct place. I can’t recall the details but I think I logged into my account and there was no message from her. I do remember my partner getting the notification and I told him not to click it. Thankfully he didn’t have login details anyway.

Anyway, I know this took a lot of time for you to write especially with how much stress this has caused. I learned some tips from your post to prepare in case a hacker does take over an account. Thanks

2 Likes

Thank you for sharing your experience. I will definitely be more cautious.

This is so scary. I’m having two Chinese business people stay over for a conference here. I went against my principles to not have instant book on Airbnb because I paused my Airbnb for some years as I was living here. Anb suggested without instant book I wouldn’t show up. I prefer guests to message me first before they book so I can ask pertinent questions. As I rent my entire house not just a room and therefore can’t check up on them. Anyway I’m worried about my modem while I’m away and feel like I should ask for some EU document (the person is resident in Europe) *as the Chinese passports I have from them won’t be any use in a crisis. I am definitely going to remover instant book. Thanks for sharing. I welcome any advice from more seasoned hosts. X

Do you have the Airbnb app? First contact from any guest will come through it, thus removing any possible phishing emails.

Edit: just reread your initial post - was the link inside a message on the app or an email?

JF

@Donna_Jack - If you think you are not allowed to check up on them, you are mistaken. You just have to disclose it in your listing. You can have cameras outside. You could require a mid-stay housekeeping trip and have someone go in and clean (and check up on them at the same time).

It’s common in our country for larger homes to have staff, so we do. My listing has the word “Staff” in the title. House rules state the housekeeper must be allowed in to clean every other day, and she has the right to inspect every day and clean if she thinks they are not keeping it clean enough between cleanings - and she’s needed to do that for some slobs.

4 Likes

Yes of course we were using the Airbnb app, and that is why I fell for the phishing.

Airbnb did not block out the url she sent that is the whole point.

The url she sent was so close to the real Airbnb one, Airbnb didn’t detect it. It was “Airbnb” with a tilde accent over the N that was the only difference.

And it took me to a page that looked identical to Airbnb on my phone.

3 Likes

This is totally unrelated.

What you posted is a scam for the GUEST, not the HOST.

They create a fake airbnb similar website to make people think they are booking thru airbnb when in fact its a hack site.

I’m sorry, I understand how this could trap people, but it is not at all similar to what happened to me.

I got a URL on the AIRBNB website, which was not censured, which allowed me to click on it.

20 hours later I got a simple email saying that my guest “camilla” has had her account deleted because not respecting terms of contract airbnb but NOT telling me that they actually let a phishing url go thru and trap me! Why didn’t they tell me at that point to change my password and my email?

Still waiting 1 month later for airbnb apology or reaction!

1 Like

Please don’t hold your breath…

1 Like

It’s not totally unrelated. The scammer gets control of a real host account in order to redirect guests to a the scam website.

2 Likes

Even If I had cameras outside on the street ( which violates my cities regulations anyway) how does this help me as ABNB are completely usless at follow up on claims by hosts or anything pertaining to conflict resolution. In the price war I would have to build in a cleaner to go mid stay and pay for it. Anyway airbnb is fast becoming a waste of time in every way.

1 Like

Just received a scam message sounding very similar through the AirBnB messaging app.

Like you, I was on my phone so I did click the link but didn’t put in my login details as I was instantly suspicious.

I’ve reported the profile to AirBnB and changed my password just to be 100% certain. It was my first experience of this on AirBnB so it took me by surprise!

Here’s the message so you can be aware of what’s going around right now:

Hello,

I want to stay for 5 nights. Your place is amazing but i have some doubts and i need to clarify. I’ve found another listing similiar with yours with more reports.

You can see the 2nd listing :

https://airbnb.com/external_link?url=airbmbrent.com/login

Thanks

User was Diana, no pic, no details, no reviews, joined June 2019.

3 Likes

That is exactly tip top what I got.

Then they followed up a bit later and asked if I accept pets! To make it more realistic I suppose!

I don’t get how Airbnb lets these slip through their filter when they so aggressively filter everything else!

If you didn’t input your userid and password into the link they gave you. should be OK.

Make sure your PayPal and email passwords are different than your airbnb password.

Good luck!

Well done for spotting it. The obvious sign that it is spam is:

a. they say there is another listing similar to yours and ask you to click on it (common scam on Airbnb and other listings
b. the URL is /external - showing you it is directing to a site outside of Airbnb.

2 Likes

Unless there is some (unknown to me) reason for allowing this type of server behaviour, it’s a poor show from Airbnb. A few lines of code is all that’s needed to get rid of this vulnerability.

JF

2 Likes