1

I have found links to an obvious bait website. Link to PHISHING website. However, I was very surprised to see the domain is "holidayinn.com". On first sight this appears to be a genuine subdomain. How is this possible?

EDIT: An extra link. I do not believe this is an acccident. This leads to "genuine" signup scams.

username193228
  • 11
  • 2
  • 3
    It's possible that the domain might have been compromised through [sub-domain takeover](https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers). However, since I don't see any login pages or anything asking for any sort of information (which one would expect if this domain was being used for phishing) I think its more likely that this subdomain is currently under development. The devs probably imported a template which they will modify to create their own site, but haven't done so yet and accidently left the subdomain open to the public – nobody Jan 04 '21 at 20:22
  • @nobody +1, you should make this an answer. – mti2935 Jan 04 '21 at 20:35
  • Hmmm... this is puzzling. One would expect anyone trying to make a scam look believable to use the compromised domain to carry out the entire scam, and yet, the link simply leads to another site. I'll see if I can make any sense out of this. In any case, the site is vulnerable somehow, and the scammers are taking advantage of it. – nobody Jan 04 '21 at 21:10
  • 1
    It looks like this subdomain was once used by Holiday Inn to host a legitimate site. See this archive.org link for what the site looked like back in March 2017: https://web.archive.org/web/20170317001212/http://restandrun.holidayinn.com/ I think @nobody 's theory that subdomain takeover could be at play here is the most plausible explanation for this. I've sent an email to the technical contact on the whois record for holidayinn.com, alerting them of this, and referencing this post on security.stackexchange.com. – mti2935 Jan 04 '21 at 21:25
  • @mti2935 The domain has been taken down. Did they by any chance inform you of what had happened? – nobody Jan 07 '21 at 09:23
  • @nobody No, I never received a reply from them. – mti2935 Jan 07 '21 at 11:58

0 Answers0