Google+ Hacked: Local Hotel Listings Hijacked

January 15, 2014 | By Kevin Judge

SSL Certificate

There are two things I‘ve learned for sure from studying internet security issues: Anyone can be hacked and hackers always have something new up their devious sleeves. The news that Google+ has been breached is a case in point.

Yesterday, the blog site searchengine.com reported that URLs for hotels in Google+ local hospitality listings had been hacked and were being redirected to a hotel booking site instead of going to the site for the local hotel.

Originally, the redirect was for “hotelstobook.info” or “hotelstobook.net”. As of Tuesday night, according to ComputerWorld, they were being redirected again to a booking site named hotelwiz.com. The site’s “Terms & Conditions” page states that the site is part of ian.com. However, when you go to ian.com it redirects to a page for the Expedia Affiliate Program. Apparently, spammers are using membership in an otherwise legitimate affiliate program to create revenue generating sites while masking their true identities.

This afternoon, I recreated Google+ searches described in the searchengine.com article to see if Google had fixed the issue. While the names hotelstobook.info and hotelstobook.net still appear in the search result description portion, the actual redirects were removed from the pages I checked. I also checked out the hotelswiz.com site, which is still up and running. Computerworld is correct about the reference to ian.com and that it redirects to a page for Expedia affiliates.

A clue that something might be wrong with hotelswiz.com is that its reservation entry page uses a domain validated SSL Certificate without ownership information, instead of an Enhanced Verification (EV SSL) certificate. This means the issuer did not do any verification of the identity of the requestor when issuing the certificate. They simply checked that they requestor owned the domain name. Domain Validated certificates have their uses, but not for e-Commerce.

I wouldn’t enter any personal information on a site like that, even if I DIDN’T know about the nefarious way they drove traffic to the site. They simply can’t be trusted.

Here we have two legitimate companies being used by hackers to line their pockets. They could try marketing their site the way everyone else does, but no, they prefer shortcuts that undermine the integrity of online commerce.  It is getting to the point that you need to double check the URL and SSL Certificate of every site you visit to see if something is amiss.

 

Be Sociable, Share!

    Add new comment

    Your name
    Comment

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>