Fraud on Velocity Frequent Flyer accounts

StayGoldPonyboy said:
Bit off topic but just saw this linked from another news article.... catching folk connecting to in-flight wifi

www.abc.net.au

Perth man allegedly set up fake wi-fi networks to steal people's personal data at airports

A Perth man is released on strict bail conditions after appearing in court accused of starting up "evil twin" wi-fi networks, to get the personal details of users at multiple locations, including airports across Australia.
www.abc.net.au www.abc.net.au
Click to expand...

I'd say this can be considered on-topic.
How this works is they take your browser's request to fetch `virginaustralia.com.au` (this is DNS spoofing) and instead serve you an identical looking VA website clone and collect your credentials if you enter it there.

Best to rely on the apps rather than websites when connecting to open, unknown network. Still not 100% safe but you're less likely to fall victim to this kind of credential harvesting.
 
Fortunately these days, even the most poverty pack cheapest PAYG pre-paid phone plans include more data than anyone not addicted to Facebook can ever use, so the incentive to go through all the sign-up/agree to terms & conditions cough to connect to free wi-fi is slowly going away. Last time I was in an airport I found the constant pop-ups telling me there was free wi-fi available so annoying and disruptive to typing the message I wanted to send on my phone that I just killed its ability to search for them.

The people who will fall victim are Grandpa & Grandma wanting to play jigsaw puzzles and solitaire on their non-simcard equipped tablets in the business class lounge.
 
Lost Redditor said:
How this works is they take your browser's request to fetch `virginaustralia.com.au` (this is DNS spoofing) and instead serve you an identical looking VA website clone and collect your credentials if you enter it there.
Click to expand...
Not quite, if you have a look at the article it explains what the attacker was doing.

The problem with what you're describing is that without an SSL certificate for virginaustralia.com.au, you'd get a certificate warning within the user's browser. VA publish HSTS headers for virginaustralia.com.au so you would not be able to pull this off, as HSTS requires a HTTPS connection with valid certificate or browsers would not display the content at all:

1729734211788.png

What the attacker was doing was to redirect to a captive portal authentication page which harvested user credentials:

The AFP said when people tried to connect their devices to the free networks, they were taken to a fake website which required them to log in using their email or social media accounts.
Click to expand...

This would work because you're in control of the redirect through a DHCP parameter, although it would be clear to at least some users that it makes no sense for them to be redirected to the website that they were directed to when connecting to that particular hotspot. The genius part (also dumb) is doing it in-flight, you could redirect users to a mock up VA site for example, whereas if you spoof an airport's wifi it would not make sense to redirect all travellers to one particular airline's loyalty login page. The dumb part is that I'm pretty sure it will end up being used against him, eg tampering with flight related systems or similar.

There would still be a number of protections in place within modern browsers to avoid getting stung like this, for example for those who save their credentials within their browser, it would not have autofilled usernames and passwords without additional confirmation from users because the domain would not match for the site that the credentials were saved for. It's basically designed to harvest credentials from those who would memorise their credentials and happily type them in to a site without checking the URL vs those who use password manager features within browsers.
 
Last edited:
33kft said:
although it would be clear to at least some users that it makes no sense for them to be redirected to the website that they were directed to
Click to expand...
I’d say it’s still too hard for the average job to identify. It’s all well and good that the crew and instruction manual in the seat pocket tells you to go to a particular website, but if you got taken somewhere by a captive portal it’s hard to tell whether it’s the right one used by that particular airline.

For example, VA redirects you to boardconnect.aero (entertainment) / inflightinternet.com (intelsat WiFi), none of them have anything to do with virginaustralia.com.

There’s many more out there for various provider/ airlines own portal. If you are an average joe traveller who booked a flight via a TA, do you even recognize the airlines domain name let alone checking that particular portal got a valid SSL certificate.
 
Check out the latest credit card signup bonus point offers
Read our AFF credit card guides and start earning more points now.

AFF Supporters can remove this and all advertisements

ben95 said:
There’s many more out there for various provider/ airlines own portal.
Click to expand...
I agree with you, but only in the context of inflight wifi. That and perhaps a lounge are the only 2 times that you could feasibly connect to wifi, get taken to a captive portal and type in your velocity credentials (and even then, there should be pause for thought given the browser won't auto fill them for you due to a different domain)

But if you connect to Melbourne airport wifi and get taken to a velocity log in page, is that going to make any sense? Again, it is very context specific... People are going to ask the obvious question, does it make sense for me to connect to a public hotspot and get asked for my bank login details?

It has to be within the realm of believability and that's to get the unsophisticated people. This guy got caught because his ruse was not believable enough despite spoofing VA's in flight wifi, with a captive audience and a reasonable explanation for why you would be asking for credentials

To show how context matters - imagine if you tried the same trick on QF. I don't think it would take long before questions would be raised about why any credentials were being asked for at all
 
Last edited:
The article didn't mention VA it just said "domestic airline" .... That's why when I posted the link to the article I said it was a bit off topic (as may not relate to this VFF thread specifically)

It says this guy did his 'evil twin WiFi' scam in various airports, flights and in locations connected to his workplace. He would have been spoofing a variety of login pages probably.
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.

Recent Posts

Currently Active Users

... and 26 more.
Total: 536 (members: 76, guests: 460)
Back
Top