![[FCO]FreeCoursesOnline](https://onehack.us/uploads/default/original/3X/b/4/b4d2fc8468becec1e9976784dba394e5a378ec81.jpg){kind=small}
Jeffrey Ladish writes:
I was recently the (unsuccessful) target of a very well-crafted phishing scam. As part of a housing search a few weeks ago, I was trawling craigslist and zillow for rental opportunities in the SF bay area. I reached out to a beautiful looking rental place to inquire about a tour. Despite my experience as a security professional, I didn’t realize this was a scam until about the third email! Below I will account the story in excessive detail including screenshots. […]
- The phishing team – and given the work involved and the level of polish I bet it was a team – ran a pretty tight operation. Their English was perfect, their emails looked professional, and their phishing site looked identical the original Airbnb site. The email domain “engineers-hibernia-chevron [dot] ca” redirected to “hibernia [dot] ca” to add legitimacy for those who took the extra step of looking up the domain.
I’m even more impressed by their subtle psychological tricks. Each step of the way, they left out information which required me to ask for something if I wanted to proceed. It’s a lot easier to be on your guard when others are asking you for things. When you’re the one doing the asking, it’s even harder to say something when things look strange, because you may already feel like you’re being a burden on their time. For the initial ad, they left out the phone number so I had to ask.
After they told me I could look at their airbnb site, I had to ask for a link. Then, after they sent me to search on Airbnb’s site, I had to ask for the link again! That was deliberately planned! Throughout these interactions, they mentioned there were other people looking, maintaining a plausible sense of urgency.
Finally, using Airbnb as the phishing site was clever, because it gave the impression of a trusted middleman. I was genuinely thrown off at first, because I couldn’t figure out how they were planning to steal my financial information.
- If they had just asked for bank or credit card information early on, their game would have been easy to spot.