David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Senior Content Manager at Bora, Associate Editor for Tripwire's "The State of Security" blog, Contributing Editor for IBM's Security Intelligence, and Contributing Writer for Palo Alto Networks' Security Roundtable, Gemalto, Venafi, Zix Corp, AlienVault, Barkly and others.

Scammers pushed out phishing emails that incorporated the European Union’s General Data Protection Regulation (GDPR) as a theme in an attempt to steal users’ sensitive information.

In early May, researchers at RedScan detected the phishing campaign when they received an email designed to look like it originated from the hospitality service Airbnb. The attack email addressed the recipients as Airbnb hosts and claimed that they could not interact with guests until they agreed to accept a new privacy policy.

Without naming the standard directly, the fake email asserted that GDPR was behind the senders’ decision to make their request.

This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States based companies, like Airbnb in order to protect European citizens and companies.

Clicking the link included in the email didn’t lead users to a privacy policy, however. Instead it led them to a page that prompted them to submit their personal information including their account credentials and payment card details. Bad actors could have in turn sold that data on the dark web or used it to stage secondary attacks.

After news of this phishing email broke, Airbnb came out with a statement confirming that it had not sent out those emails analyzed by RedScan. As it told this author in an email:

“These emails are a brazen attempt at using our trusted brand to try and steal user’s details, and have nothing to do with Airbnb. We’d encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on report.phishing@airbnb.com, who will fully investigate. We provide useful information on how to spot a fake email on our help centre and work closely with external partners to report and help remove fake Airbnb websites.”

Airbnb also clarified that the attackers never accessed users’ information and shared a full list of its aliases that commonly appear in official business correspondence.

Mark Nicholls, director of cyber security at RedScan, said the scammers’ incorporation of GDPR makes sense given the increased amount of awareness surrounding the Regulation before it comes into effect on 25 May. As quoted by ZDNet:

“The irony won’t be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people’s data. Scammers know that people are expecting exactly these kinds of emails this month and that they are required to take action, whether that’s clicking a link or divulging personal data. It’s a textbook phishing campaign in terms of opportunistic timing and having a believable call to action.”

Bad actors could send out more GDPR-themed spam on or around 25 May. With that said, it’s important that organizations protect themselves against phishing campaigns. Running phishing awareness and training simulations with their employees would be a good place to start.

At the same time, organizations should familiarize themselves with GDPR (if they haven’t already) and devise a strategy to achieve compliance with the Regulation. MetaCompliance can help organizations strengthen their data security measures. For more information, click here.