Serious phishing scam affects Zoopla and Lettingweb

There are concerns that agents across the country are at risk after agents in Scotland were targeted by scammers in an elaborate hoax involving fake listings on Zoopla.

Tenants have been put at risk of losing hundreds of pounds when they respond to the bogus adverts which appear to be listed on the portal by legitimate agents.

The ‘phishing’ scam aims to capture personal data and to obtain money from tenants putting down deposits.

The issue appears to involve the data feed to Zoopla by Lettingweb – which places property adverts across multiple sites including Primelocation and Trovit.

The scammers are believed to be targeting agents with fake emails purporting come from Zoopla, to obtain their login details to Lettingweb and then using those details to post fake properties, seemingly legitimately, onto the portals.

It is unclear how many agents have been affected but it is believed only a handful of fake properties were listed last weekend and that Lettingweb swiftly removed them once made aware of the issue.

It is not known how many members of the public may have lost money putting down deposits on rental properties that do not exist.

Zoopla publishes advice to agents on spotting online scams and how to manage phishing attempts.

Lettingweb gave EYE this statement:

“After analysing our own logs we can confirm that no breach had occurred from our side and that the letting agent username and password was used to access the account and post properties legitimately through the platform.

“It is evident that online scammers are targeting letting agents with phishing emails posing as portals and other suppliers in an attempt to obtain their login details.

“While these can be highly convincing at first glance, we would urge our agent members to be vigilant and to check all email communications and links to ensure that they are genuine.

“If they are ever in any doubt about any communications we would ask them to report this directly to us or the relevant portal or supplier that the email claims to be from.”

Because the issue is of importance to all agents we are printing the Incident Report generated by Lettingweb as it show the importance of good security practice and awareness.

Lettingweb – Incident Report – 10/08/2020

What happened
Over the weekend beginning the 31st of July 2020 an agent member’s login credentials were used to login to Lettingweb to post a number of fraudulent properties.

The properties posted included instructions for users that the only way to apply for the property was to contact a specific email address in the property description. Once tenants emailed that contact the party pretending to be the letting agent would progress the situation to extract a deposit.

The properties were removed immediately once we were made aware of this.

How have we responded to the issue
We analysed in detail the logs we hold at Lettingweb to confirm that a data breach had not occurred from our side. The agent’s username and password was used to access their account and post the properties legitimately through the platform.

How can we be sure we didn’t leak the passwords
All user credentials at Lettingweb are hashed using a security algorithm with vector initialisation. What this means in practice, is that we don’t store passwords. When logging in an agent’s hashed password is matched against the hashed value we have stored.

How did the malicious party get access to the credentials
We suspect a phishing scam or data breach from another platform being the root cause and we are asking any of the involved parties a series of questions.
1) Do you use the same password and email for other platforms?
2) How often do you change your password?
3) Are you using a secure password?

Beware of phishing scams
A typical route for a successful phishing scam would involve the following:
An email is received from someone pretending to be a legitimate source.
You click the link from that email which takes you to a site that looks legitimate (however taking a further look at the URL might flag warnings such as a slightly different website address).
You think you are logging into a legitimate website but in fact by logging into this false website which looks identical, users are exposing their username and password.
They would then use the credentials to login to a legitimate website

A typical scenario could be used for the following:
The hacker would obtain the list of email addresses & passwords which are on the dark web from a previous data breach at another possibly less secure platform, think gyms/schools etc.

From this list they would be able to determine the emails were related to a property agent (usually the email address of property agents are obvious to that type of activity).
They would then attempt to login to property portals with these details hoping the user was using the same credentials (users may have the same password across a vast number of platforms).

How are we working to improve security
We take security of the platform at Lettingweb very seriously. Even with any potential breach of customer credentials occurring outwith the Lettingweb platform we are continuing to heighten security to be best in class and flag any potential malicious login attempts.

With phishing scams becoming more complex and common, we are taking further steps to provide additional layers of security for our members to protect them against such scams.

In the week beginning the 3rd of August we deployed the following additional security features to the platform:
1. Password Complexity – More strict password rules have been implemented
2. Password Expiry – Every password on lettingweb will be required to be reset every 3 months
3. All credentials for the account involved have been reset
4. Two Factor Authentication – We track where a user logs into Lettingweb, specifically their IP address, if this changes, they will be notified and required to validate the login through their email account.
5. Enhanced Processing Criteria – All property descriptions are now being scanned for email addresses and phone numbers, these will automatically be stripped out of any property descriptions on the platform.

What agents can do to help
Do not share your password.
Keep variety in your passwords, for example different passwords for different platforms / accounts.
Find out if your passwords have been stolen – tools like Google’s Password Checkup can show you which of your email addresses and passwords have been compromised in a data breach so you can take action.
Phishing scams have become more sophisticated. We ask that agents check all email communications and links to ensure that they are genuine. If they are ever in any doubt about any communications they receive from us, we ask that they please email .


Email the story to a friend

One Comment

  1. Avgusto

    if they used p2p like the utopia ecosystem for communication, we could avoid problems


You must be logged in to report this comment!

Comments are closed.

Thank you for signing up to our newsletter, we have sent you an email asking you to confirm your subscription. Additionally if you would like to create a free EYE account which allows you to comment on news stories and manage your email subscriptions please enter a password below.