 Poster: A snowHead
|
I have just been speaking to an accommodation owner from a chalet advertised with Owners Direct.
I rang her because I had a chain of email correspondance relating to a possible booking which was not making sense.
It went like this:
Me via Owners Direct web enquiry form - hello is your chalet available for date ...for ... people?
Reply to my email address from her business email address - yes thanks for your enquiry, we do have availability and the price will be ...
My reply to that: thank you for that, can I just check that we will have sole occupancy?
Reply to me (this is where I smelt a rat) - thank you for your enquiry, I am sorry we are fully booked for the period requested, may I suggest you try these other companies etc
My reply: I'm sorry I don't understand, you have just offered me a chalet for my dates and given me a price, now you're saying it's unavailable and your reply is as if you have never had this conversation with me??
Reply back to me: Sorry about that, you should not have received that last email, yes we do still have availability for you and the offer still stands (but no answer to my query about sole occupancy)
So, I ring the owner. She has no idea about any of this. She sent me the middle email 'sorry we're full'. Her chalet has been fully booked for weeks and so she would never have been able to offer it to me. She suspects she has been hacked.
The OH has just told me it was in the papers on Sunday.
Please be careful. Please ring up and confirm your bookings.
Title edited.
Last edited by Poster: A snowHead on Wed 25-09-13 17:10; edited 1 time in total
|
|
|
|
|
|
Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
|
|
Just to add to this, I forwarded the chain of correspondance to the owner's personal email address at her request after the call and received a suspicious reply to that, so it appears the hacker has hacked the Owners Direct account, business and personal emails.
|
|
|
|
|
|
Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
|
sarah, but that does now mean that the hacker knows you're onto them, so you've done the owner a favour 
|
|
|
|
|
|
You need to Login to know who's really who.
You need to Login to know who's really who.
|
|
I suppose one moral of this story is to use the telephone wherever possible - this kind of thing is just getting too easy for people to do.
|
|
|
|
|
|
Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
|
|
Montana, yes I guess the hacker will know we're on to them, but to be honest from the clumsy chain of correspondance they are not all that bright. The owner is pleased because she did not know. The hacker appears to be going into her Owners Direct account and removing enquiries before she sees them and replying to them, and also has been adjusting her availability calendar possibly to attract more enquiries.
|
|
|
|
|
|
You'll need to Register first of course.
You'll need to Register first of course.
|
|
pam w, yes absolutely, though I will confess I have booked several times in the past without having spoken to the owner. Not from now on though.
|
|
|
|
|
|
|
|
It's probably/possibly worth stating that the hacking in question is nothing more sophisticated than guessing, or more likely phishing, for account details.
I investigated a reasonable number of hacked email accounts in previous role and in every case it was as the user had provided their account details to someone who had asked via email.
So just be careful what you reply to as some phishing emails do look genuine, but anyone asking for username and password is unlikely to be genuine.
|
|
|
|
|
|
|
|
Ditto this warning.
A friend lost 9000 Euros during the summer using Owners Direct. As a hot shot lawyer type, she is now deeply embarrassed as well as being light in the pockets.
|
|
|
|
|
|
You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
|
|
I wonder if Owners Direct has actually been hacked, or has the property owner just had an easily crackable or guessable password?
|
|
|
|
|
|
|
|
| feef wrote: |
| I wonder if Owners Direct has actually been hacked, or has the property owner just had an easily crackable or guessable password? |
I don't know but the suspicious person has been manipulating this owner's Owners Direct account and has been impersonating her via two email addresses now. Owners Direct have been informed by the owner and I have received an 'urgent notice' email from them urging to me to take steps to book my holiday securely. I rang their 'Trust and Security' dept but they are not interested in receiving the chain of emails 
|
|
|
|
|
|
snowHeads are a friendly bunch.
snowHeads are a friendly bunch.
|
|
There are a few more articles like this http://www.guardian.co.uk/money/2013/apr/27/booking-cottage-summer-holiday-let and I guess the key is to know with whom you are dealing with and to ensure everything ties-up (my suggestion would be to ask a few questions about the resort and if they can't answer any I would be wary). All that said there are plenty of decent owners who advertise on those websites so it's probably just bad luck if you don't get what you paid for.
|
|
|
|
|
|
And love to help out and answer questions and of course, read each other's snow reports.
And love to help out and answer questions and of course, read each other's snow reports.
|
XPeak, absolutely  and I have in the past booked very successfully, perhaps that experience is what caused me to have doubts with this enquiry. At points in the chain of correspondance though it was quite convincing and so for someone making a first booking in this way the outcome may have been quite different.
|
|
|
|
|
|
|
|
| sarah wrote: |
| feef wrote: |
| I wonder if Owners Direct has actually been hacked, or has the property owner just had an easily crackable or guessable password? |
I don't know but the suspicious person has been manipulating this owner's Owners Direct account and has been impersonating her via two email addresses now. Owners Direct have been informed by the owner and I have received an 'urgent notice' email from them urging to me to take steps to book my holiday securely. I rang their 'Trust and Security' dept but they are not interested in receiving the chain of emails |
\
But the accuracy of the statement has huge implications for both Owners Direct and potential customers.
One is suggesting that their systems have been compromised and they not a secure place to do business with, neither as a property owner not a client.
The other is bad practice on the part of property owners who are not using secure passwords or are sucummbing to social engineering tactics to give up their passwords.
|
|
|
|
|
|
You know it makes sense.
|
It's unlikely a case of insecure passwords on the part of the owners, more likely a case of their being fooled by phishing scams.
Here's how it works...
- Phisher sends an enquiry with words to the effect of "Further to our confirmed booking, please see attached booking contract" or similar.
- attachment is a link to a fake gmail/hotmail website with login request. Owner thinks they've been logged out of their webmail and without thinking, fills in account and password fields
- Phishing site now has owner's email login and uses it to hack other accounts such OD.
Sure, it's bad practice on the owner's part, but it's easily done and could happen to anyone who lets their guard down for a second.
|
|
|
|
|
|
Otherwise you'll just go on seeing the one name:
Otherwise you'll just go on seeing the one name:
|
| Quote: |
could happen to anyone who lets their guard down for a second
|
Yep - apologies if it is teaching grandma to suck eggs but:
‘Phishing’ emails are also used to try and obtain other personal information, for example bank account details, they can be easily spotted as they will:
1. Contain no personal information about you
Usually they will start with “Dear Customer” or similar, rather than addressing you by name. Many companies have now started to include other unique information, such as your postcode or last few digits of your account, so that you can be sure an email is genuine.
Unusual, or incorrect, spellings and grammar
SPAM may often be written in another language and translated into many other languages, resulting in unusual literal translations. For example – “Hello My Friend! I hope you can this message without effort - and I will hope very much that I have executed all truly and you can read my message which I direct to you for the purpose of our personal acquaintance.”
SPAM emails are also likely to contain a selection of phrases designed to scare individuals into taking action, without really thinking. For example “Act Now to avoid account termination”.
2. It’s too good to be true
If it sounds too good to be true, it almost certainly isn’t true.
“Can you help me move money out of...........”
“You’ve won first prize/the lottery etc.............”
“You’ve been named in the will of.....”
These are all recognised and long established scams.
http://www.bbc.co.uk/blogs/watchdog/2008/10/the_419.html
3. Unusual Web Link - Check Carefully!
While the link you see in the email may well be as expected but when you hover over the link your browser will show what the link actually is.
URLs can also just be an IP address (set of numbers) rather than a standard link. Alternatively the link contains no reference to the company you would expect. A note of caution that increasingly spammers are using links which are similar to genuine links, which on first glance could be missed e.g. faceebook.com
4. Ask for personal details
Any reputable company or financial institution will:
•NEVER send you emails asking you to confirm or change your details.
•NEVER advise you by email or text message that your account will be suspended if you do not follow the message instructions.
•NEVER send you an email or text message containing a link to a log in page.
|
|
|
|
|
|
Poster: A snowHead
|
What I think happened in this case was probably that the property owner received a phishing email which probably looked convincingly like it was from Owners Direct and so she responded. The phisher then used that information to gain control of her Owners Direct account including access to personal details and email addresses etc. Then guessed at her email account passwords from the knowledge he now has from the account passwords. So uses her email account impersonating her to receive and send fraudulent emails to me offering me the property. So it is a case of attempted fraud as far as I see it.
I've edited the title to remove the word hacking just for clarity as it's not that Owner's Direct has been hacked but that advertisers on there may have been as in this case.
|
|
|
|
|
|
Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
|
| Quote: |
| A friend lost 9000 Euros during the summer using Owners Direct |
€9,000  !! - Er, what sort of self-catering place were they booking (or not booking) for that sort of dosh? Sounds like it was for a couiple of seasons!
|
|
|
|
|
|
Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
|
|
mountainaddict, Easy to spend that much for a week in French school hols for instance, for example les servages d' armelle which is the best hotel / chalet in les carroz, to rent their 2 bedroomed chalet for 4 persons (160m2) is euro 9520 for 22nd feb week ...euro 1360 a night! http://www.servages.com/uk/index.php
|
|
|
|
|
|
You need to Login to know who's really who.
You need to Login to know who's really who.
|
|
sarah, the phishing attempts often take you to a page that looks like your webmail account rather than to Owners Direct or similar. You log in to your email, so then they have your email details, and can respond to enquiries from there which is why you received replies from both real and scam owner.
|
|
|
|
|
|
Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
|
mountainaddict, think the poster said that was for the summer, so maybe a large villa (sleeping 3 or 4 families) with pool in a popular resort on the Med for two weeks, it's very possible.
Hells Bells, thanks, yes I can see that. In this case though the scammer was able to log in to the Owners Direct account not just the email accounts. It's not clear how that had occurred. The owner telephoned me again last night to check that all bogus correspondance had ceased (which it had), she was disappointed with Owners Direct's response to her case and she had been in touch with the fraud unit at the Met police who she said were more interested and helpful.
Hopefully anyone making a booking via these type of listings sites will verify that the person they think they are corresponding with is actually that person and not a scammer, and that owners using the sites are aware of these scams and phishing attempts and do all they can to protect their accounts.
|
|
|
|
|
|
You'll need to Register first of course.
You'll need to Register first of course.
|
|
|
|
|
|
| Quote: |
Hells Bells, thanks, yes I can see that. In this case though the scammer was able to log in to the Owners Direct account not just the email accounts.
|
the problem there is that people often use the same password to access different online services. So if they had obtained the password to one site, it's distinctly possible to access other sites that the person uses.
|
|
|
|
|
|
|
|
And let's be honest what chance do you have of getting response from an owner?
Usually a week later, with sorry it's actually booked that week.
|
|
|
|
|
|
You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
|
|
|
|
|
|
Filthyphil30k, we try and respond within the hour.
It's the usual thing - before you pass over money, check out the seller. We are, for instance, a registered company in France, which you can check, with a TVA number, which you can check, registered with the Tourist Office and Mairie, which you can, etc., etc.
|
|
|
|
|
|
snowHeads are a friendly bunch.
snowHeads are a friendly bunch.
|
under a new name, I realise most do , I had a frustrating week last December trying to book a 3 bed apartment and getting hold of owners in 3 apartments was very hard, and all had not up dated the availability, they were all using the apartments themselves , which is fair enough , but why not block out those weeks? Especially if its you who is going and not a client who us slow paying a deposit?
I emailed two owners yesterday, no response. Not that I was expecting any, so I will book up with the same apartment as last year although I fancied a change.
|
|
|
|
|
|
And love to help out and answer questions and of course, read each other's snow reports.
And love to help out and answer questions and of course, read each other's snow reports.
|
|
Filthyphil30k, the other thing is that at this time of year a lot of owners/managers are on holiday as it's between seasons.
|
|
|
|
|
|
|
|
Shimmy Alcott, just seen your post, yes I saw that too 
|
|
|
|
|
|
You know it makes sense.
|
| XPeak wrote: |
| There are a few more articles like this http://www.guardian.co.uk/money/2013/apr/27/booking-cottage-summer-holiday-let and I guess the key is to know with whom you are dealing with and to ensure everything ties-up (my suggestion would be to ask a few questions about the resort and if they can't answer any I would be wary). All that said there are plenty of decent owners who advertise on those websites so it's probably just bad luck if you don't get what you paid for. |
Good article, thanks for posting that link.
|
|
|
|
|
|
Otherwise you'll just go on seeing the one name:
Otherwise you'll just go on seeing the one name:
|
| sarah wrote: |
| Filthyphil30k, the other thing is that at this time of year a lot of owners/managers are on holiday as it's between seasons. |
Yes that could be true, but my two yesterday were both English with holiday homes in France, not managers.
Anyway , called Groupe Sainted-Andre, spoke to a helpful French girl who has put my apartment in option until Monday, very simple if a bit pricey.
|
|
|
|
|
|
Poster: A snowHead
|
|
I respond to all enquiries within 24 hours maximum, usually much quicker, even when I am out searching for my lost dog this week, I have answered all emails.
|
|
|
|
|
|
Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
|
|
sarah, that is the easy bit, no hacking required. they will be able to reset the owners password for Owners Direct if they have the email address.
|
|
|
|
|
|
Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
|
|
Hells Bells, your place looks nice, and your photos are much better than Almost any others I have looked at.
|
|
|
|
|
|
You need to Login to know who's really who.
You need to Login to know who's really who.
|
|
Filthyphil30k, thank you.
|
|
|
|
|
|
Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
|
|
Hells Bells, it's very worrying really.
|
|
|
|
|
|
You'll need to Register first of course.
You'll need to Register first of course.
|
|
Filthyphil30k, glad you are sorted. I am just waiting for booking/payment details from mine now.
|
|
|
|
|
|
|
|
| sarah wrote: |
| Hells Bells, it's very worrying really. |
No, it is actually still quite rare, and it is basic common sense not to click on strange links in emails.
|
|
|
|
|
|
|
|
|
Hells Bells, worrying from my point of view, I should have said, as a client as I was not the one to have clicked on any strange links and yet I would have been the one to lose money to a scammer with no recourse.
|
|
|
|
|
|
You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
|
|
sarah, at what point would you actually have transferred any money? I am concerned as an apartment landlord that I need to do something else, other than manage the security of my own business, to ensure that potential clients are suitably assured of my bona fides.
|
|
|
|
|
|
|
|
|
under a new name, well based on my previous chalet bookings my normal procedure would be to make an availability enquiry by email or via an online form, then if the property is available I would probably ask a couple of questions about the property, then if all is acceptable I would say I'd like to book, they would let me know the bank details and I would make the transfer. So maybe there would be 3 emails each way. I have booked 7 properties in this way, probably only actually speaking to the owner on the phone on 2 or 3 occasions and then I'm not sure that I spoke to them before or after payment. All have been through websites such as Chalets Direct or Owners Direct. I've always done a fair bit of research to be sure the chalet I think I'm booking actually exists as I was aware of the bogus property scam. I've never been aware of this kind of scam until now.
|
|
|
|
|
|
|
|
FAQ
