Scam Alert - Please Becareful

[Arielle Popstar]

35 minutes ago, Alwin Alcott said:

the ones that need it  .....they-will-not-read-it
 

so.. the car dealer is also responsible for solving your stupid driving? ..  there are breaks on your car, use them.
 

 .. the safety of pc/computer entry process is as safe as the user uses it

1. The ones that didn't read it were perhaps not adequately notified of it. Do you read the whole viewer splash page on every login?

2. Car dealer isn't but the manufacturer sure is if the brakes are inadequate. That is what Recalls are for.

3. That is debatable considering how many virus's and other malware is out there. There is also all the OS updates needed to protect against new and old vulnerabilities. That is on the programmers and developers of the software.

[Alwin Alcott]

27 minutes ago, Arielle Popstar said:

1. The ones that didn't read it were perhaps not adequately notified of it. Do you read the whole viewer splash page on every login?

2. Car dealer isn't but the manufacturer sure is if the brakes are inadequate. That is what Recalls are for.

3. That is debatable considering how many virus's and other malware is out there. There is also all the OS updates needed to protect against new and old vulnerabilities. That is on the programmers and developers of the software.

1) i always overview it, and with warnings ..yes i read it again, btw i also read the blogs.. it's usefull to stay a bit up to date with            things you do.
2  the dealer is the same as LL, they provide a platform, but runs on a computer that is owned by somebody else.. ( if it has breaks,       use it) .. and it does have that. Just be aware of the traffic around you.
3) this is about phishing no virus or malware, and a phishing tool, abuse of a script is going around. You'r warned.

Arielle you just provided LL the tools to pull the plug out of SL for safety reasons.

Edited April 11, 2023 by Alwin Alcott

[MiaWasHacked]

Unfortunately I was an idiot and they got me. My account appears to be deleted and I had no luck recovering it after 2 support tickets. I miss all my SL friends dearly....😢

Don't EVER enter your password once you're in world for anything!

Edited April 12, 2023 by MiaWasHacked
typo

[Arielle Popstar]

1 hour ago, MiaWasHacked said:

Unfortunately I was an idiot and they got me. My account appears to be deleted and I had no luck recovering it after 2 support tickets. I miss all my SL friends dearly....😢

Don't EVER enter your password once you're in world for anything!

Sorry to hear that but to my mind that is really something the Lab should be bending over backwards to straighten out considering it is an in-viewer message where the password is being transferred to an inworld recipient. Not even needing to be done on an external site. That sort of vulnerability on a trusted viewer should just not be possible or allowable.

[Qie Niangao]

1 hour ago, Arielle Popstar said:

Sorry to hear that but to my mind that is really something the Lab should be bending over backwards to straighten out considering it is an in-viewer message where the password is being transferred to an inworld recipient. Not even needing to be done on an external site. That sort of vulnerability on a trusted viewer should just not be possible or allowable.

The problem is there's practically nothing they could do. At all. Short of seriously crippling SL commerce by completely changing a host of scripted interactions currently mediated by llTextBox. Starting with all gift sales.

It would theoretically be possible to resurrect those transactions one at a time with a batch of new, specialized script library functions. So stop all gifting for a while until some developers, pulled off other security tasks, invent a new API, and every resident-scripted vendor is updated or replaced. And that would "solve" just one of the transactions we all depend on llTextBox to mediate.

Earlier, @Love Zhaoying mentioned a kind of content filter for llTextBox prompts (like, don't let them ask for something like "password") which might be better than nothing, but it's far from foolproof. I actually think it may be worth doing, but the signal to noise ratio is pathetic: if you were a dedicated phisher, don't you think you could ask for a password without asking for a "password"? Of course you could. Meanwhile there's a plague of false positives: Can't allow for any in-world games that use anything like a password, lest it trigger the filter.

It's like trying to make forums (or social media) software that censors all and only the naughty bits.

[Arielle Popstar]

2 hours ago, Qie Niangao said:

The problem is there's practically nothing they could do. At all. Short of seriously crippling SL commerce by completely changing a host of scripted interactions currently mediated by llTextBox. Starting with all gift sales.

It would theoretically be possible to resurrect those transactions one at a time with a batch of new, specialized script library functions. So stop all gifting for a while until some developers, pulled off other security tasks, invent a new API, and every resident-scripted vendor is updated or replaced. And that would "solve" just one of the transactions we all depend on llTextBox to mediate.

Earlier, @Love Zhaoying mentioned a kind of content filter for llTextBox prompts (like, don't let them ask for something like "password") which might be better than nothing, but it's far from foolproof. I actually think it may be worth doing, but the signal to noise ratio is pathetic: if you were a dedicated phisher, don't you think you could ask for a password without asking for a "password"? Of course you could. Meanwhile there's a plague of false positives: Can't allow for any in-world games that use anything like a password, lest it trigger the filter.

It's like trying to make forums (or social media) software that censors all and only the naughty bits.

I find it unlikely that an account can be deleted to a point where it is unrecoverable by SL. I would sure hope they have backups made prior to a week old account closure.  A warning when clicking a link that takes one outside of SL is a reasonably standard option for some sites. An in-world warning or link to their most recent Blog about Phishing would be pretty easy when there is an uptick in phishing scams. The Blog post warning about the particular current methodology in connection with the lltextbox would be a good start. Their blog post warns about everything but that vector and yet it is a particularly dangerous one because it is in a trusted viewer and could easily fool newer people who are not familiar yet with the normal ways the viewers work.

Those are just a few workable ideas that don't even get into the LSL and only deal with mitigating and educating users about the potential dangers of Phishing as it applies directly within Second Life. 

[Quistess Alpha]

8 minutes ago, Arielle Popstar said:

I find it unlikely that an account can be deleted to a point where it is unrecoverable by SL.

Scammers don't want to 'delete your account', they want to steal your L$ (and your RL $$$ too), which, depending on how smart they are, is a lot harder to undo than just pressing a reset button. I hear LL knows what they're doing in remedying those cases, but even so. . .

[Arielle Popstar]

11 hours ago, Quistess Alpha said:

Scammers don't want to 'delete your account', they want to steal your L$ (and your RL $$$ too), which, depending on how smart they are, is a lot harder to undo than just pressing a reset button. I hear LL knows what they're doing in remedying those cases, but even so. . .

Combination of cleaning out account and closing/deleting to make tracing more difficult.

[MiaWasHacked]

In my case, i was able to access my account in a browser for a few minutes, and saw that my Lindens had been taken and my email had been changed to something with a strange TLD. Luckily mine was a free account with no CC info on file.

[CaithLynnSayes]

18 hours ago, Arielle Popstar said:

Sorry to hear that but to my mind that is really something the Lab should be bending over backwards to straighten out considering it is an in-viewer message where the password is being transferred to an inworld recipient. Not even needing to be done on an external site. That sort of vulnerability on a trusted viewer should just not be possible or allowable.

There is no rational way to stop this type of attack. You can not ban a screwdriver because someone once used it to break in a car or something, so you can't ban a scripted text input box.

It's like when attention seeking kids flood a region with prims or loud sounds, aka "griefing". Are you now going to stop everybody from using the build ability because someone used it to annoy someone?

You didn't think this one through, did you?

 

[Ardy Lay]

firestorm.* 99

firestormv* 9

firestormviewer* 7

phun

And I missed counting some.  More phun.

Edited April 13, 2023 by Ardy Lay

[Arielle Popstar]

8 minutes ago, CaithLynnSayes said:

There is no rational way to stop this type of attack. You can not ban a screwdriver because someone once used it to break in a car or something, so you can't ban a scripted text input box.

It's like when attention seeking kids flood a region with prims or loud sounds, aka "griefing". Are you now going to stop everybody from using the build ability because someone used it to annoy someone?

You didn't think this one through, did you?

Well one idea would be to limit in the same way mesh building/uploading is done:

To upload mesh content you must accept the IP terms and have payment info on file.https://wiki.secondlife.com/wiki/Mesh

See it isn't that there isn't potential solutions but that those who are scripters wouldn't want their freedoms restricted in the same way. If text input boxes were henceforth restricted to only those who have a PIOF, it would make phishers easier to track down along with their ill gotten gain. Bet that would lessen how often in-world phishing happens. 

Passes you a thinking cap:

 

 

[Theresa Tennyson]

7 minutes ago, Arielle Popstar said:

Well one idea would be to limit in the same way mesh building/uploading is done:

To upload mesh content you must accept the IP terms and have payment info on file.https://wiki.secondlife.com/wiki/Mesh

See it isn't that there isn't potential solutions but that those who are scripters wouldn't want their freedoms restricted in the same way. If text input boxes were henceforth restricted to only those who have a PIOF, it would make phishers easier to track down along with their ill gotten gain. Bet that would lessen how often in-world phishing happens. 

Passes you a thinking cap:

 

 

My thinking cap is telling me, "If someone's doing something to run a financial scam, wouldn't they just use a stolen credit card number for their PIOF?"

[CaithLynnSayes]

Don't need your thinking cap because it seems to be defective.

You may think you got a nice idea going there but i'd like to see LL implement something like that and then watch these forums explode all over again. - This is just yet a new way of phishing that people should be warned and educated about. Restricting capabilities of the service because they can be used in a malicious way is an excellent way to get a lot of people up in arms because the bad actors will find another exploit and then what? Restrict that one too? Soon you won't be able to do anything anymore and SL will be just about a shadow of it's former self.

 

[Arielle Popstar]

23 minutes ago, Theresa Tennyson said:

My thinking cap is telling me, "If someone's doing something to run a financial scam, wouldn't they just use a stolen credit card number for their PIOF?"

Oh so add a little credit card theft to hacking an S/L account? I'd question whether anyone who is at that level could be bothered with snagging a few lindens through a phishing scheme. If caught I'd wager the perp would get a lot more time for the CC theft then the account and L$ grab. Seems a little bit of straw grasping Theresa.

28 minutes ago, CaithLynnSayes said:

Don't need your thinking cap because it seems to be defective.

You may think you got a nice idea going there but i'd like to see LL implement something like that and then watch these forums explode all over again. - This is just yet a new way of phishing that people should be warned and educated about. Restricting capabilities of the service because they can be used in a malicious way is an excellent way to get a lot of people up in arms because the bad actors will find another exploit and then what? Restrict that one too? Soon you won't be able to do anything anymore and SL will be just about a shadow of it's former self.

Think we have all seen SL implement worse and the resulting forum implosion was just another ho-hum day at the virtual office. And when it gets a little too rambunctious, there is always the shutting down the thread option.

Yes, they could actually educate residents what Phishing in S/L looks like instead of using some standardized Phishing warning that probably came straight from some a wiki or maybe they used a ChatGpt without including information that it is through SL viewers.

[CaithLynnSayes]

5 minutes ago, Arielle Popstar said:

Yes, they could actually educate residents what Phishing in S/L looks like instead of using some standardized Phishing warning that probably came straight from some a wiki or maybe they used a ChatGpt without including information that it is through SL viewers.

I had to read that a couple of times before i thought i knew what you meant with hat, but i'm actually still not sure, lol.

Like, that last part about Chat GTP. Are you just saying that because it's the latest hot thing or did you put thought in that? I'm not trying to belittle you, i'm just really curious.

Personally, i think if you fall for a message that says you're about to be logged out but can prevent that by reentering your password, you shouldn't be on the internet. We all know what a script dialog box/text input box looks like. We also know what a dialog box of the viewer looks like. They are pretty different. I can imagine newer users possibly falling for that, but people that have been in SL for a longer time should know better.

Anyway, i might tap out of this one because it may turn into a back and forth between you and me where you will say SL functions should be restricted because they can be used in a bad way and i would insist on not doing that because of above reasons.

[EliseAnne85]

18 hours ago, Qie Niangao said:

Earlier, @Love Zhaoying mentioned a kind of content filter for llTextBox prompts (like, don't let them ask for something like "password") which might be better than nothing, but it's far from foolproof. I actually think it may be worth doing, but the signal to noise ratio is pathetic: if you were a dedicated phisher, don't you think you could ask for a password without asking for a "password"? Of course you could. Meanwhile there's a plague of false positives: Can't allow for any in-world games that use anything like a password, lest it trigger the filter.

But, I think it's worth doing.  

Also, how can a phisher ask for a password without asking for a password?  Is it just by getting someone to CLICK?  I'm guessing, the answer is probably yes, just by clicking and starting what - a keylogger?  

Will voice to text afford us more internet safety in the future?  (This question is to anyone reading,  not directed to Qie alone.)

Games shouldn't ask for password, imo, anyway...maybe something else like a "key".

Edited April 13, 2023 by EliseAnne85

[MiaWasHacked]

I have to add to this. I use encrypted email and a VPN and am very conscious of possible attacks in my general internet conduct. At the time I was hacked I was in an immersive conversation and panicked when I received the window that prompted me to enter my password or be logged out as to not lose the conversation I was in. It was perfect timing and a very dumb decision on my behalf.  After many years of being in SL I had never received a notice like this and since it came from inside the browser I thought it was legit. This is just a warning to everyone to NEVER enter your password for any reason when you're in world. 

[Arielle Popstar]

12 minutes ago, CaithLynnSayes said:

I had to read that a couple of times before i thought i knew what you meant with hat, but i'm actually still not sure, lol.

Like, that last part about Chat GTP. Are you just saying that because it's the latest hot thing or did you put thought in that? I'm not trying to belittle you, i'm just really curious.

Go read the Lab news. You see anything in there that specifically addresses this particular phishing scheme? One is really no wiser after reading it then before, hence my charge that not a lot of thought went into it. Better to have read Twitter where Beq at least posted a pic of the text box asking for a password:

Quote

 

Personally, i think if you fall for a message that says you're about to be logged out but can prevent that by reentering your password, you shouldn't be on the internet. We all know what a script dialog box/text input box looks like. We also know what a dialog box of the viewer looks like. They are pretty different. I can imagine newer users possibly falling for that, but people that have been in SL for a longer time should know better.

 

Really? Please educate me because after my 14 years I wouldn't know the difference, but then I am not a scripter who needs to know this stuff. It was only 2 weeks ago that I was logged out of MP for some reason and after clicking a product link to take me to the page, I was having to relog into it which I did at the time without thinking. Only later did I think that was a strange as I shouldn't have been logged out in the first place. It wound up being fine and must have been because S/L was messing with the MP and logged people out to fix it. Viewers regularly log me out for unknown reasons and if suddenly a pop up box came up and asked me for a password to stay logged in, I would assume a new feature by either S/L or FS. 

Quote

Anyway, i might tap out of this one because it may turn into a back and forth between you and me where you will say SL functions should be restricted because they can be used in a bad way and i would insist on not doing that because of above reasons.

Well your choice but instead of defending the status quo like the other fan boy's and girls, you could maybe think up a way that actually might mitigate these issues and doesn't require restrictions to protect residents.

[MiaWasHacked]

4 minutes ago, Arielle Popstar said:

Go read the Lab news. You see anything in there that specifically addresses this particular phishing scheme? One is really no wiser after reading it then before, hence my charge that not a lot of thought went into it. Better to have read Twitter where Beq at least posted a pic of the text box asking for a password:

Really? Please educate me because after my 14 years I wouldn't know the difference, but then I am not a scripter who needs to know this stuff. It was only 2 weeks ago that I was logged out of MP for some reason and after clicking a product link to take me to the page, I was having to relog into it which I did at the time without thinking. Only later did I think that was a strange as I shouldn't have been logged out in the first place. It wound up being fine and must have been because S/L was messing with the MP and logged people out to fix it. Viewers regularly log me out for unknown reasons and if suddenly a pop up box came up and asked me for a password to stay logged in, I would assume a new feature by either S/L or FS. 

Well your choice but instead of defending the status quo like the other fan boy's and girls, you could maybe think up a way that actually might mitigate these issues and doesn't require restrictions to protect residents.

Shame I hadn't seen this before. That's the exact popup I received. If I had just been standing around like most of us do most of the time in SL, I would have thought about it and probably not submitted my password. Unfortunately being in a riveting convo with several friends I took the cheese and paid the price.

[Ayashe Ninetails]

3 minutes ago, MiaWasHacked said:

Shame I hadn't seen this before. That's the exact popup I received. If I had just been standing around like most of us do most of the time in SL, I would have thought about it and probably not submitted my password. Unfortunately being in a riveting convo with several friends I took the cheese and paid the price.

Don't feel bad. A lot of scams are designed to catch us off guard - you know all those emails that swap an "l" with a capital "i" and rely on someone just instinctively clicking on links and logging in without looking TOO closely at the sender's name and/or email, or those phone calls that bait you into saying "yes" so they can record that for nefarious purposes.

On the bright side, you don't have to worry about any credit card/bank/financial issues as a result, so there's that.

That said - link scams are also rampant in group chats, and it's just a general good practice to never click those either. Marketplace links especially.

[CaithLynnSayes]

48 minutes ago, Arielle Popstar said:

Well your choice but instead of defending the status quo like the other fan boy's and girls, you could maybe think up a way that actually might mitigate these issues and doesn't require restrictions to protect residents.

I said i wasn't going to back and forth with you because of exactly this. You always have to result in things like the above so, yeah. I'm not going to take the bait. I said my peace on the matter and i'll just be here passively.

[Qie Niangao]

1 hour ago, EliseAnne85 said:

But, I think it's worth doing.  

Also, how can a phisher ask for a password without asking for a password?  Is it just by getting someone to CLICK?  I'm guessing, the answer is probably yes, just by clicking and starting what - a keylogger?  

Will voice to text afford us more internet safety in the future?  (This question is to anyone reading,  not directed to Qie alone.)

Games shouldn't ask for password, imo, anyway...maybe something else like a "key".

What I meant by a phisher asking for a password without asking for a "password" was purely superficial: misspell password in some way the text filter wouldn't recognize as matching its pattern but in a way that a human wouldn't even notice as an error. Sneak a well-spaced linebreak in the middle of the word, or some unicode trick. I'm sure any self-respecting phisher is better at dreaming these up than I am, but I bet I could trick some distracted SL residents if I set my mind to it, and I bet you could, too.

Anyway I wholly agree that games shouldn't ask for passwords—and neither should anything else. The big guys (Google especially, but also Meta and Apple and others) are committed to making passwords obsolete, simply because there's no way to make them safe: they spent years and millions trying.

If we must use passwords still, multi-factor authentication is the bare minimum prevention for basic human fallibility with password use—and remember the hue and cry when that was even offered opt-in for SL! (We all know darn well that if the victims of this scam had their accounts protected by MFA, they'd not be victims. The scammers are simply preying on those who aren't using the security available to all for free on the platform. But nobody mentions that.)

[EliseAnne85]

31 minutes ago, Qie Niangao said:

If we must use passwords still, multi-factor authentication is the bare minimum prevention for basic human fallibility with password use—

I'm curious about something.  Maybe you know, maybe you don't.  But, why did LL choose multi-factor authentication instead of just the usual email and phone number?  The email and phone number is easier.  

Additionally, I mean plus either password and phone?  Phone code is easier than the tokens.

Edited April 13, 2023 by EliseAnne85

[Rowan Amore]

We should do away with email so those people will.stop harassing me about the money I've inherited from some Prince.