Threat Management, Malware, Phishing

Phishing campaign aimed at Airbnb guests uses GDPR hook

Hackers are playing off of the impending implementation of General Data Protection Regulation (GDPR), posing as Airbnb hosts in emails saying victims must accept new privacy policy based on the regulation before further bookings can be made.

"This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States-based companies, like Airbnb in order to protect European citizens and companies," the message said, according to the Redscan researchers who uncovered the scam. The emails seem to be directed to business addresses.

“Hackers are getting better at creating ways to trick users, and this attack on Airbnb customers is evidence of that,” said Paul Edon, director at cybersecurity firm Tripwire.

"The irony won't be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people's data," Skynews cited Redscan Director of Cybersecurity Mark Nicholls Nicholls as saying.

GDPR has been a hot topic as the EU regulation deadline approaches later this month. “Cybercriminals are just as attentive as the rest of us to the news, and GDPR has been difficult to escape for the last year. As consumers receive more and more legitimate emails from brands engaging with best practices in advance of GDPR, it only follows as logical (and somewhat ironic) that scammers would take advantage of this,” said Tim Helming, director of product management at DomainTools. “Phishers thrive on a lack of caution from their targets, so masking a scam as part of a legitimate flurry of emails comes as no surprise.”

Helming said, “users who receive a GDPR email should be aware that personal details or credit card information should not be handed over, in any scenario, as part of an organization moving towards a GDPR compliant policy.”

Users, too, should take basic precautions to avoid becoming victims. “Regardless of whether you believe the email to be legitimate or not, never click on inbuilt links. Always open your own web browser and log in to your account on the official website,” said Edon. “If there is a legitimate requirement for you to update or re-enter information, it should be referenced within your specific account instance. However, malicious cybercriminals are preying on human naivety, which is why these attacks continue to be used.”

He noted, “it is becoming difficult to track malicious attackers as they are getting better at mimicking valid content from reputable organizations,” but said potential victims can avoid attacks by educating “themselves about the risks and consequences of clicking unknown links and attachments.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.