They could, but there's a number of things that would make that ineffective:
- All modern browsers default to https, meaning to get to a http site you have to specifically type in the http:// prefix, or to redirect a user to a http:// URL, and it will show that it is not a secure site in the browser bar
- Companies who publish only HTTPS services can use HSTS (HTTP Strict Transport Security) to inform browsers that they only publish HTTPS sites so even the above would not be effective (note that Velocity do not appear to publish HSTS headers, but Qantas seem to).
- If someone's using an app, which is going to be a significant proportion of accesses to these sites, they're not going to even have a choice - the app will just enforce HTTPS
They could perhaps pair up a few techniques like creating a SSID with the same name as the airport wifi or one that tricks people into thinking it is one, adding a hotspot authentication page which then redirects users to a http site which pretends to be VFF's login page to capture their login info, but:
- People who go to the https site or try to use their app while connected to the hotspot would see either a certificate error or would fail to connect, so it's hardly a long-term hack, it requires a specific flow of sending people to the http spoofed site and those people ignoring any security warnings and entering their credentials
- This could easily be thwarted by VFF publishing HSTS headers, which would inform user browsers not to even try connecting to anything hosted under velocityfrequentflyer.com via http
- They'd be better off just redirecting to a HTTPS site with a similar domain name and a mock up of the real velocity site, and capture login details that way. Just your standard phishing attack, which is probably how this happened anyway. Don't bother with physically being at the airport with a wifi hotspot, just send an official looking email to people with a link to veloc1tyfrequentflyer.com and capture their logins from the comfort of your home
Let's just say that all of the above did actually happen, let me just make a point here about what that would actually mean, it would actually mean that:
- Someone has set up an AP or set of APs that are physically at the airport, that they control, that intercept DNS requests for velocity, send them to a local webserver that can only provide http and not https and therefore will only work in very specific circumstances for people who happen to access very specific APs when an attacker's equipment is physically nearby
- The AP would have to specifically redirect them to the fake velocity site. What I am suggesting here is that every single person who connects would have to specifically and only be redirected to a velocity login page. I can't see any other way that the owner of the wifi AP is going to convince people to go to this fake http URL
- The user would have to log in with their credentials
- The fake site then has to either log in to velocity on their behalf and show the actual real content, or error out afterwards, which combined with all the other weird stuff they have just seen (like why did this wifi network send me to log into velocity automatically?) is going to set off some alarm bells
It's not the slickest operation