Tell me I'm not going mad

[Ben McNevis]

Our internet connection failed in the middle of the day today, as did the neighbours'. So it's been a kind of stone-age day. By the time it came back this evening, there was a big bundle of incoming emails and I had a queue things I needed to do online.

Among the emails were 2 enquiries for the small cottage. One looking quite normal (OwnersDirect) and the other, unusual (VRBO.COM). I know that I can get enquiries through VRBO so it didn't strike me as suspect and because of my rush to get the enquiries dealt with, yes, I clicked on the link in the email.

I'd already entered the email/password and hit Enter before looking at the address bar. Ooops - It looks like junk to me:
http: //account.owner.canyakma.com/homeaway/login?services=https%3A%2F%2Fwww.homeaway.com%2Fhaod%2Fauth%2Fsignin.html

Now, the weird bit: That took me to a 2-stage login page but it showed my mobile phone number so I immediately assumed that it was genuinely Homeaway and that I must have been imagining a dodgy-looking URL. So, seeing my mobile number there, I carried on. I duly got a 6-digit passcode by SMS and entered it. This took me to a homeaway page but not as a logged in user.

Now, apart from the indisputable fact that I've been stupid in my rush to get things done, there are things going on here that I don't understand.

I've changed my OD password straight away, so I don't think that I'm in imminent danger. But I would like to understand more about it.

The suspect enquiry had the subject line:
Inquiry from Colleen Goodman: Dec 12 through 19 - VRBO.com #5178632

and I later did a test enquiry on VRBO and got the subject line:
Enquiry from Test Testing: Nov 15 to 21 - OwnersDirect.co.uk #SC518

Thus confirming that the Colleen Goodman email is a spoof.

The only way I can explain what's going on is that the fake Homeaway login page grabs the login data through a script that then does an immediate attempt to log into the real Homeaway site. It then sends me back the page that Homeaway sends to it so that it can grab that passcode too!

Ouch!

Any other explanations apart from the one that I really am going mad?

Interestingly, if I re-try clicking the [Go to dashboard] link in that email, I again get the spoof Homeaway login page but this time it rejects any login attempt with the message: The username or password you entered is incorrect.

[kevsboredagain]

The domain was canyakma.com which is registered in Turkey but probably the site owner may be unaware the use of the site for this purpose.

You should report the domain and submit proof. By doing this, you help others.

Just guessing but I imagine they were after your login/password and then redirected you to the real homeaway page to continue the process.

I would hope you've learned your lesson and won't fall foul of such a trick again. Why would you then try to use the link again?

[Zingara]

My 'lady' from VRBO today, asking for the same dates was calledJessica Dowd...I should not receive any VRBO requests, so it went straight to spoof@homeaway.com

[Ben McNevis]

Since this incident, I've been reading a bit about two-factor authentication. The articles about it confirm that it offers no defence against a Man In the Middle attack (which is what happens when a fake login script is simultaneously doing the login on the target site).

Implementing a two-factor authentication system just stands in the way of these attacks for a short time while the hackers adjust their scripts to collect and relay the second code.

I hadn't realised that before.

[Ben McNevis]

Just one more thought:

If the SMS message included:
"Does the authentication page show your property image? If not, do not complete the login."

it would be somewhat safer.

[Sam V]

Goodman? This family are busy aren't they? See my scam enquiry post .... Michele Goodman.