[jmcgready]

Interesting that, according to the article, Airbnb doesn't do 2FA:

Airbnb could help by adding some type of robust multi-factor authentication, such as Security Keys — which would defeat these Airbnb phishing pages. According to twofactorauth.org, Airbnb currently does not support any type of multi-factor authentication that users can enable.

[mcintyre1994]

They obviously should but it wouldn't really help here. Realistically if a scammer gets my Airbnb email and password they're probably not going to be able to do anything that won't expose themselves, and I'd expect to eventually get my money back from Airbnb if it was all on their platform.

The idea is really to get you making a payment on their fake website. They don't need you to log-in at all, I imagine they use it to look for password re-use more than to log in to the victim Airbnb itself. Skipping login is less suspicious and when you've contacted them on Airbnb they have your name, they can put that into a query param (mine already did this presumably for tracking) and show you logged in addressing you by name.

[dewey]

If people don't realize they are on a different domain, have to sign up for a new account, wire some random person money instead of going through the normal AirBnb process with their credit card on file I doubt they'd use 2FA if it's not forced for everyone.

[mcintyre1994]

They don't make you sign up for a new account. If they ask you to log in it's to harvest email/password, but they're faking it's your Airbnb login - they'll just accept whatever you give, say you're logged in and let you give payment, if they even bother to ask you to log in.

[yolo1]

How would multifactor solve this? It only solves mass password sprays.