Latest Scam - Fake permission from a vendor reset

[Navy1 Coba]

here stolls in a noobie, just 0 days, looking for help. I have a small mall attached to my club with affiliate vendors. He says he cannot buy an item and asks me to reset the board. I reset it and naturally, the yellow drop down "grant permission" comes up and I have done hundreds of times when resetting or rezzing vendors, I click yes, and wow, here comes the "you have paid" notices, along with "insuffient funds" notice as he cleans my account of 12k in lindens.

I opened an abuse ticket with LL and filed a support ticket and am calling them when they open. Removed credit cards until they give the all clear.

Just beware, its the latest scam going around, so dont reset or reload any vendor because someone is having trouble buying an item. Its not worth the small sale to get cleaned out.

[Deja Letov]

Was it not a vendor you set out and knew who the vendor was? Or are you saying that it changed over night? I kinda feel like we're missing something in the way this vendor was obtained.

[Navy1 Coba]

an update:

Linden Labs fraud division has stopped or caught the person, his account has been canceled and my 12k returned. GREAT work and quick to respond on their part. I spoke with them on the phone and my account is now secure and fixed. His account is canceled, but alas he/she will return another time, another place, another name.

Seems they rez and invisible prim then copy the name of the item they want to clone such as a clothing vendor, game or tip jar. Then they ask you to reset or reload it so they can buy something " I want that outfit more can not buy what makes you talked removed from the wall and back" . When you reload or reset, they activate their invisible prim which causes the yellow drop down "grant permission" showing the same name, etc, and thinking its your item, you click yes. Then their script starts asking your account for money 100k, 10k, 1k, 100L and 10L asking for less as it gets insufficient funds notice until they clean out your balance.

Just beware if anyone wants you to reset or reload anything that has your permission to take money such as a affiliate vendor, game or tip jar, etc. The small sale is not worth losing your balance. And if you do have a problem, file an abuse report and a support ticket. Linden Labs has my vote on prompt service.

[Navy1 Coba]

---

Deja Letov wrote:

Was it not a vendor you set out and knew who the vendor was? Or are you saying that it changed over night? I kinda feel like we're missing something in the way this vendor was obtained.

---

they explained what was done, they create an invisible prim and copy the name of the vendor, so when the Yellow "grant permission" appears, it clones the one you own except the script inside pays them instead.

[Czari Zenovka]

I've heard of this invisible prim in front of vendors before - some years back.  Seems old things cycle around periodically.  This one is easy to miss as the OP states.  I've even heard of invisible prims place in front of a merchant's vendors so the sales money goes to the scammer.

What I'm wondering is how these people manage to put an invisible prim on someone else's land, unless of course create objects.  I would think run script for others would need to be on as well, but having very little scripting info, would like to hear from someone more experienced how this could be done.

Also, would turning on see transparancey (CTRL+ALT+T) show the invisprim?

[Madeliefste Oh]

Hmmz, I have seen this technique of ripping before. It was in the days the before LL bought Xstreet. There was no way to put money on your Xstreet account or getting it out of your Xstreet account unless you used a terminal.

It happened several times that invisible prims were place in front of an Xstreet terminal. The rippers did not only copy the exact text of the Xstreet terminal, but also made accounts that looked very much like the one of the terminal owner. I don't remember that name anymore, but let's say it was 'SLexchange Bigwing'. Then these invisible prims were place by accounts that had names like for example SLexchange Bigwings, SLexchange Bigvving (2x v in stead of w) or SLexchance Bigwing.

[Darren Scorpio]

If the invisible prim is owned by the scammer (logically if he/her has rezed it), then I don't see why the "victim" would be able to A) reset the scripts on the object, or B) The permissions dialog would be received by the object's owner (the scammer) not the the victim. Am I missing something here? 

[Czari Zenovka]

---

Darren Scorpio wrote:

If the invisible prim is owned by the scammer (logically if he/her has rezed it), then I don't see why the "victim" would be able to A) reset the scripts on the object, or B) The permissions dialog would be received by the object's owner (the scammer) not the the victim. Am I missing something here? 

---

I may not have phrased that correctly.  I wasn't talking about the victim being able to change the scammer's item perms.

If the merchant/victim does not have rez objects and/or run scripts set to everyone, then the scammer could not rez/run the scripts from the item in the first place.  I was asking if this would be the best way to assure the scammer cannot use this in a given location.

I suppose if the scammer was part of the group that allowed group members to rez objects and/or run scripts, that could be one way the scammer gained access.

To use my own example, my shop is on group-owned mainland so one needs to in that group to be able to rez anything on my parcel.  The group members are the parcel owner and myself - plus a couple respective alts.  It is set to only allow group members to rez items/run scripts.

 

 

[Darren Scorpio]

*Laughs* Sorry Czari I did not mean to reply to your post. 

What I meant was that I just don't see how this scam can happen, at least the way the OP is explaining it. 

[Deja Letov]

Ya I'm a little confused to. I can't reset an object and have it ask me for permission unless I have permissions to edit that persons objects...in which case he would need to be on my friends list for him to mark me with that permission. Very weird.

[Darren Scorpio]

And even if you had that person's permissions to edit their objects, wouldn't that person be the one who gets the debit permission dialog? 

If the object is owned by the scammer then the only way I could see anyone losing lindens is if they selected to "Pay" the object for whatever reason. 

[Deja Letov]

That's what I thought too. I mean resetting a script doesn't send any "detectedkey" code to the object that I know of. They would have to touch it wouldn't they?

[Nicolette Lefevre]

Ok, a script can only send money from the owner of the script to someone. So whatever script did this it must have been owned by the original poster.

This does NOT look like there was an invisible prim put over the vendor. To me this looks much more like someone found a way to add a malicious script to the vendor.

To the original poster: You may want to check your vendor. Actually all of them. That script may still be in there. But if the author of the script was even halfway intelligent, then the script will have deleted itself after it was done sending the money.

I can think of only two ways this could be done. If the vendor has an update-function then that may have been used to inject a malicious script. Not by the creator of the vendor but by someone who managed to somehow get the PIN needed to allow this.

The other way would be to "give" the script to the vendor. In theory simply resetting scripts should not set the new script running. According to the documentation you will need to recompile the script or take the object into inventory and re-rez it.

[Artorius Constantine]

If i may interject.

it is simple enough to write a script that would allow anyone to reset itself or look that way with dialouge boxes.

A script can also act like other objects easily. false dialogue messages in it can say anything the scriptor wants.

Almost any object or sequence can be mimicked this way. The scammer just copies the name of the targeted vendor, places thier prim over it, and anyone that touches it will think they are resetting or buying from the actual vendor.

In fact they are just turning on a script that mimics the process then drains your account. That's also how LL catches them. They still actually own the script that takes the money. All I know is what happened to me.

That at least, was how it was done years ago on the SLX Terminals. To get a terminal on your land the normal procedure was to cut out a 16m section and set the build rights to open so the SLX group could rez the terminal. If the land owner forgot to turn the rez permissions off they got hit. Back then you'd often see piles of prims on the terminals as people figured out they could rez there.

 These prims could also be worn as an attachment and if the avatar stands right it would block the vendor. No rezzing needed.

Tricky scam and easy to get caught by. I should know lol They got me for a large deposit about 6 years ago. LL did make it right though. I will hand them that, they sometimes get the big stuff right! =)

[Navy1 Coba]

---

Czari Zenovka wrote:

I've heard of this invisible prim in front of vendors before - some years back.  Seems old things cycle around periodically.  This one is easy to miss as the OP states.  I've even heard of invisible prims place in front of a merchant's vendors so the sales money goes to the scammer.

What I'm wondering is how these people manage to put an invisible prim on someone else's land, unless of course create objects.  I would think run script for others would need to be on as well, but having very little scripting info, would like to hear from someone more experienced how this could be done.

Also, would turning on see transparancey (CTRL+ALT+T) show the invisprim?

---

The land was set to run scripts and build objects for members of the group. Joining the group was free. This was necessary to use some of the assets of the club. I have since taken the build rights away from group members.

 

[Navy1 Coba]

---

Darren Scorpio wrote:

If the invisible prim is owned by the scammer (logically if he/her has rezed it), then I don't see why the "victim" would be able to A) reset the scripts on the object, or B) The permissions dialog would be received by the object's owner (the scammer) not the the victim. Am I missing something here? 

---

Not sure how it worked, this is what I was told. All I know is when I reloaded my vendor board (normally a yellow drop down permission request appears) the yellow drop down "grant permissions" request was a clone of the "real" request which is usually delayed a few seconds. The "real" request appeared about 20 seconds later but by then the scammer had begun taking money from my balance.

 

[Innula Zenovka]

No, I remember the old SLX terminal scam, and that's different.   That was people paying money to what they thought was the SLX terminal, when, in fact, they were paying money to an invisible prim, belonging to a scammer, and thus to the scammer.

In this case, a script is removing funds from someone's account and transferring them to the scammer.   The script can only do this if it's in an object belonging to the victim of the fraud.    That's the way PERMISSION_DEBIT works.   The only person who can get the orange request dialogue box is the owner.

ETA .. @Navy1 I don't understand how you can "clone" the debit permissions dialog box.   I can change the way llDialog menus appear in my viewer, but not in anyone elses.   And even if you could, it would be pointless because you cannot grant debit permissions using llDialog.

[Darren Scorpio]

That's what I thought, that's why this doesn't make sense. There is something else here we are not being told. 

[Navy1 Coba]

---

Nicolette Lefevre wrote:

Ok, a script can only send money from the

owner of the script

to someone. So whatever script did this it must have been owned by the original poster.

This does

NOT

look like there was an invisible prim put over the vendor. To me this looks much more like someone found a way to add a malicious script to the vendor.

To the original poster: You may want to check your vendor. Actually all of them. That script may still be in there. But if the author of the script was even halfway intelligent, then the script will have deleted itself after it was done sending the money.

I can think of only two ways this could be done. If the vendor has an update-function then that may have been used to inject a malicious script. Not by the creator of the vendor but by someone who managed to somehow get the PIN needed to allow this.

The other way would be to "give" the script to the vendor. In theory simply resetting scripts should not set the new script running. According to the documentation you will need to recompile the script or take the object into inventory and re-rez it.

---

Thanks for the info. I took the affiliate vendor and deleted it, then went to their original package and rezzed a new one for the wall. I also contacted that vendor to inform them.

LL's fraud division seemed aware of the scam since it has been used before. They were very quick to close the offenders account and then actually delete it. Granted I did provide them with transaction entries in my account and chat log. Since I have several affiliate vendors in my mall, I contacted them as well. Once of the larger producers was aware of this scam and gave me several tips on how to prevent it in the future.

The entire event wasn't pretty watching my current balance shrink in a few seconds with about 15 blue popups saying I had paid the scammer and intertwined with insufficient fund warnings as he attempted (or his script did) various amounts.

The entire event caught me offguard (hence the post) since I was simply trying to reset (re-rez) the affiliate vendor so he would be able to buy the product.

For those that are unaware of what an affiliate vendor is: a company (owner) makes a product and offers to place a sales board (affiliate vendor) in your shop/store to sell his products. In exchange for placing it there, the owner splits the profits from sales with the land/mall/shop owner.

 

[Navy1 Coba]

---

Innula Zenovka wrote:

No, I remember the old SLX terminal scam, and that's different.   That was people paying money to what they thought was the SLX terminal, when, in fact, they were paying money to an invisible prim, belonging to a scammer, and thus to the scammer.

In this case, a script is removing funds from someone's account and transferring them to the scammer.   The script can only do this if it's in an object belonging to the victim of the fraud.    That's the way

PERMISSION_DEBIT

works.   The only person who can get the orange request dialogue box is the owner.

ETA .. @Navy1 I don't understand how you can "clone" the debit permissions dialog box.   I can change the way llDialog menus appear in my viewer, but not in anyone elses.   And even if you could, it would be pointless because you cannot grant debit permissions using llDialog.

---

Thanks for the information. Wish I could tell you more of the "how" it was done. Am sure LL is working on it since they seemed to solve and deal with the issue VERY quickly. Like I said, one of the larger vendors was aware of the scam but did not go into the "how" and since I am not a expert in scripting, I probably wouldn't understand anyway. I can tell you this, that once the dust cleared a second "permissions dialog box" appeared which I am guessing was the correct one. I posed all this not in hopes of finding out the how, more to advise others not to reset or re-rez an affiliate vendor board in front of a complaining customer (which was also the advice of the larger vendor that knew of the scam)

 

[Madeliefste Oh]

---

Navy1 Coba wrote:

LL's fraud division seemed aware of the scam since it has been used before. They were very quick to close the offenders account and then actually delete it. Granted I did provide them with transaction entries in my account and chat log. Since I have several affiliate vendors in my mall, I contacted them as well. Once of the larger producers was aware of this scam and gave me several tips on how to prevent it in the future.

 

---

Please, teach us. What are those tips to prevent?

 

[Navy1 Coba]

---

Madeliefste Oh wrote:

---

Navy1 Coba wrote:

LL's fraud division seemed aware of the scam since it has been used before. They were very quick to close the offenders account and then actually delete it. Granted I did provide them with transaction entries in my account and chat log. Since I have several affiliate vendors in my mall, I contacted them as well. Once of the larger producers was aware of this scam and gave me several tips on how to prevent it in the future.

 

---

Please, teach us. What are those tips to prevent?

 

---

They said NEVER rez or reset anything that needs a money split permission in the presence of someone complaining they cant make it work, such as a tip jar, affiliate vendor, game machine, etc.

If in doubt, try to rez a NEW copy from your inventory instead of taking and re-rezing the old one

Don't leave your groups open enrollment (cant do that since my land needs it)

Make your land group ownership different from your vendors, etc on the site

Don't allow scripts (can't do that since my club needs it)

 

Some of their tips I can't use cause of my club, but I learned to be more cautious.

In the end, I guess you just have to be careful and if scammed, RIGHT THEN file an land abuse report "fraud $" and open an account comprimised support ticket with as much or more information than you think they need. I was lucky this time.

 

[Darrius Gothly]

---

Innula Zenovka wrote:

No, I remember the old SLX terminal scam, and that's different.   That was people paying money to what they thought was the SLX terminal, when, in fact, they were paying money to an invisible prim, belonging to a scammer, and thus to the scammer.

In this case, a script is removing funds from someone's account and transferring them to the scammer.   The script can only do this if it's in an object belonging to the victim of the fraud.    That's the way

PERMISSION_DEBIT

works.   The only person who can get the orange request dialogue box is the owner.

ETA .. @Navy1 I don't understand how you can "clone" the debit permissions dialog box.   I can change the way llDialog menus appear in my viewer, but not in anyone elses.   And even if you could, it would be pointless because you cannot grant debit permissions using llDialog.

---

I beg to differ Innula. To wit:

llRequestPermissions( key agent, integer permissions );

All the scammer needs to do is find and program in the intended victim's UUID and .. presto .. the Debit Permission dialog appears on the victim's screen.

However the llGiveMoney function is the bugaboo here:

llGiveMoney( key destination, integer amount );

 

It goes on to say "Transfer amount of L$ money from script owner to destination avatar." (emphasis mine on Script Owner) This requires that the script be owned by the victim. THAT's a tough one to arrange. The scammer would somehow have to give the invisible prim with script to the victim first. Unless it is bought in-world somehow it will wind up in the victim's inventory and not stay rezzed.

I'm sure there's a way to flim-flam folks into falling for this scam, but it's gonna take some thinking and good role playing to pull it off.

[Navy1 Coba]

Update #2

Somewhere I said another day, another face, another avatar, well they dont wait long.

In pops mr cool (251 days) (not the name, TOS, remember) and wants to donate 100L to my donation box

[2012/08/23 06:35]  Mr Cool: to donate your box does not work ok
[2012/08/23 06:36]  Navy1 Coba: you can donate to one of the glasses on the stage also, I will check that, thanks
[2012/08/23 06:36]  Mr Really Cool: I will donate your club 100l$
[2012/08/23 06:36]  Navy1 Coba: ok, thanks
[2012/08/23 06:37]  Navy1 Coba: I will have to work on it later

[06:39]  'Donation Cash Box UPDATE', an object owned by 'Navy1 Coba', located in (insert sim) has been denied permission to: Take Linden dollars (L$) from you.

even tried a new one:

[07:22]  'ajuste system linden', an object owned by 'Navy1 Coba', located in (insert sim), has been denied permission to: Take Linden dollars (L$) from you.

First off, the Donation Cash Box doesn't have a request system in it, so that was clue #1

As before, filed an abuse report and a ticket. Not sure he will make 252 days.

I looked for an invisible prim and none there. Even when I banned him from the land, the yellow drop downs kept comming, about 40 in total. I was stalling hoping to get more info.

Just beware.

[Deja Letov]

Wow that is just crazy stuff. At least you know to look out for it now.