Scam Alert - Please Becareful

[Arielle Popstar]

50 minutes ago, CaithLynnSayes said:

I said i wasn't going to back and forth with you because of exactly this. You always have to result in things like the above so, yeah. I'm not going to take the bait. I said my peace on the matter and i'll just be here passively.

Blame the dutch genes in me that likes engaging in a little ouwehoeren on occasion.

[Qie Niangao]

50 minutes ago, EliseAnne85 said:

I'm curious about something.  Maybe you know, maybe you don't.  But, why did LL choose multi-factor authentication instead of just the usual email and phone number?  The email and phone number is easier.  

Additionally, I mean plus either password and phone?  Phone code is easier than the tokens.

I don't know the deep details, but SMS text messaging used on mobile networks is not very secure. It rides the old "Signalling System 7" network that has been the target of successful attacks for decades. Here's one of many cases where that cost real money because people used phone messaging for two-factor authentication: https://arstechnica.com/information-technology/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/

That said, even phone-based authentication would have made this particular scam unworkable. If one were going to the trouble and expense of adding authentication factors today, though, one would probably avoid using the phone because of its well known vulnerabilities.

[Love Zhaoying]

Y'all who say, "it will never work, don't bother"..

Le Sigh.

IJS

 

[Theresa Tennyson]

3 hours ago, Arielle Popstar said:

Oh so add a little credit card theft to hacking an S/L account? I'd question whether anyone who is at that level could be bothered with snagging a few lindens through a phishing scheme. If caught I'd wager the perp would get a lot more time for the CC theft then the account and L$ grab. Seems a little bit of straw grasping Theresa.

So, you don't think they're actually running a financial scam already and just phish passwords because they want the latest fatpack from Blueberry?

[Arielle Popstar]

5 minutes ago, Theresa Tennyson said:

So, you don't think they're actually running a financial scam already and just phish passwords because they want the latest fatpack from Blueberry?

So are you trying to imply that this isn't a couple of script kiddies scamming a few L$ but an organized, ongoing high end phishing scam?

[LittleMe Jewell]

This ought to piss a few people off -- at least one or two, in particular.

LL should focus on ensuring their system is not hackable - not on protecting people from their own stupidity.

Yes, in this day and age, with all of the scam warnings that are everywhere out there, it is someone's own stupidity when they fall for those type of scams.

[Love Zhaoying]

35 minutes ago, LittleMe Jewell said:

This ought to piss a few people off -- at least one or two, in particular.

LL should focus on ensuring their system is not hackable - not on protecting people from their own stupidity.

Yes, in this day and age, with all of the scam warnings that are everywhere out there, it is someone's own stupidity when they fall for those type of scams.

Context is important. For instance, my company has specific training to avoid being phished, etc. including test phishing emails. In that case, the company is protecting itself by educating the employees. In the case of SL, a big, publicized hacking / phishing scam scandal would both be bad for business, and also bad publicity. 

Edited April 13, 2023 by Love Zhaoying

[Kylie Jaxxon]

37 minutes ago, LittleMe Jewell said:

This ought to piss a few people off -- at least one or two, in particular.

LL should focus on ensuring their system is not hackable - not on protecting people from their own stupidity.

Yes, in this day and age, with all of the scam warnings that are everywhere out there, it is someone's own stupidity when they fall for those type of scams.

Totally agree!!

[LittleMe Jewell]

26 minutes ago, Love Zhaoying said:

In the case of SL, a big, publicized hacking / phishing scam scandal would both be bad for business, and also bad publicity. 

There is a big difference between being hacked -- which definitely would be bad for the company image and is something that would specifically be the fault of the company -- and someone using the platform for phishing attempts.  The latter happens, to some degree or another, on every internet platform out there.  The gullible are the usual victims.  The more we try to protect people from their own dumb actions, the more we encourage them to not think for themselves.

[Theresa Tennyson]

1 hour ago, Arielle Popstar said:

So are you trying to imply that this isn't a couple of script kiddies scamming a few L$ but an organized, ongoing high end phishing scam?

I would have thought someone as into OpenSim as you would have been aware of how often virtual world currency is used in financial fraud:

https://www.hypergridbusiness.com/2015/04/crooks-steal-126000-from-avination-grid/

[Innula Zenovka]

6 hours ago, Arielle Popstar said:

If text input boxes were henceforth restricted to only those who have a PIOF, it would make phishers easier to track down along with their ill gotten gain.

How on earth would you implement that?   Scripts either compile or they don't.   LL would have to rewrite the compiler completely so that, when it encounters a call to llTextBox, it breaks off and checks the PIOF status of whoever owns the script.    I doubt that's even possible but, assuming it is, it seems a complete waste of effort.

[Qie Niangao]

4 hours ago, Qie Niangao said:

If we must use passwords still, multi-factor authentication is the bare minimum prevention for basic human fallibility with password use—and remember the hue and cry when that was even offered opt-in for SL! (We all know darn well that if the victims of this scam had their accounts protected by MFA, they'd not be victims. The scammers are simply preying on those who aren't using the security available to all for free on the platform. But nobody mentions that.)

I started worrying that this was all coming across as blaming the victims, and that's not what I mean at all. Sure, it's a stupid thing to do, to give out your password, but we all do stupid things every day. More when tired. Or stressed, or distracted. Or whatever takes us off our peak performance. But none of us are at "peak" all the time, and we all screw up.

The problem is that passwords make it too easy to screw up, and using them as adequate sole factor authentication makes an error-prone system brittle.

We're smarter than the stupid things we do, so maybe we can just do this one smart thing now and protect our accounts with multi-factor authentication.

Yeah it's a bit of a pain, and the infallible among us will never need it. Except none of us are infallible. And it only takes that one stupid mistake to lose an account in which we've invested years.

[EliseAnne85]

21 minutes ago, Qie Niangao said:

The problem is that passwords make it too easy to screw up, and using them as adequate sole factor authentication makes an error-prone system brittle.

It's too bad there couldn't be a way that our password NEVER logs out, not unless we delete our account or LL does.  That way if someone tried to log in with anyone's unique username and password, that hacker would get a message - (something like) 'sorry that username and password is already logged in, you may not log in' and they wouldn't be able to log in because a password can only log in one person and we'd already be that person who is logged in.  We could close down the viewer and shut it but it wouldn't log us out via password.  

Plus, then no one would give out their password because we'd know we are logged in as we didn't delete our account.  

Me, just dreamin'....but I'm not even sure if what I wrote above makes sense.  lol

Edited April 14, 2023 by EliseAnne85

[Jaylinbridges]

I would never fall for the "enter your password" box, because I can never remember my password.

[Arielle Popstar]

3 hours ago, Theresa Tennyson said:

I would have thought someone as into OpenSim as you would have been aware of how often virtual world currency is used in financial fraud:

https://www.hypergridbusiness.com/2015/04/crooks-steal-126000-from-avination-grid/

You do realize that incident was a dozen years ago right? If you know the back story a little more you'd also know that it was a result of pride in the thinking of how it wouldn't happen to them and therefore the proper safeguards weren't put in place. Sort of like some people here.

[Arielle Popstar]

5 hours ago, LittleMe Jewell said:

This ought to piss a few people off -- at least one or two, in particular.

LL should focus on ensuring their system is not hackable - not on protecting people from their own stupidity.

Yes, in this day and age, with all of the scam warnings that are everywhere out there, it is someone's own stupidity when they fall for those type of scams.

Well doesn't bother me as I follow your frequent Pet Peeve posts on how you often get less then you were expecting from different creators and your peeve at being scammed. I don't think there is stupidity involved because there are simply too many different ways one can be taken advantage of in SL and the best we can do is learn from the mistakes of others rather than judge them for it.

[Arielle Popstar]

3 hours ago, Innula Zenovka said:

How on earth would you implement that?   Scripts either compile or they don't.   LL would have to rewrite the compiler completely so that, when it encounters a call to llTextBox, it breaks off and checks the PIOF status of whoever owns the script.    I doubt that's even possible but, assuming it is, it seems a complete waste of effort.

I don't know Innula, you are the expert on scripting but why would it be a complete waste of effort since at the very least it will reduce the numbers of those trying to do so as not all are going to go steal credit cards to put up fictitious payment info.

[Innula Zenovka]

9 hours ago, Arielle Popstar said:

I don't know Innula, you are the expert on scripting but why would it be a complete waste of effort since at the very least it will reduce the numbers of those trying to do so as not all are going to go steal credit cards to put up fictitious payment info.

What are "the numbers"?  

This is the first time I remember hearing about this kind of phishing exploit in however long it is since an effective version of llTextBox was introduced (as I recall, there was a completely unusable borked version for some years before it became workable).

How many times before the present incident have you heard about people using llTextBox to collect people's passwords?

To my mind the numbers are likely to be pretty small, and I think it would be a complete waste of time and effort to revise the compiler so that, in order to prevent a phishing exploit that hardly ever occurs,  it has to make an external call to LL's servers to establish the PIOF status of the script's owner whenever it encounters llTextBox.

The phrase "taking a sledgehammer to crack a nut" comes to mind.

 

Edited April 14, 2023 by Innula Zenovka

[Rolig Loon]

3 hours ago, Innula Zenovka said:

The phrase "taking a sledgehammer to crack a nut" comes to mind.

Followed closely by "tempest in a teapot".

[Love Zhaoying]

I thought of an non-SL analogy for the llDialog() situation.

It's not the best analogy..

In Windows, there "is" still a command "msg" you can use to send a message to anyone on your network. (I thought it was deprecated, but nupe. However, documentation says,"You must have Message special access permission to send a message.") Anyway, in the old days this message was used to prank people.  

https://www.nextofwindows.com/windows-tip-to-broadcast-messages-to-other-computer-users

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msg

 

 

[Quistess Alpha]

25 minutes ago, Love Zhaoying said:

"You must have Message special access permission to send a message."

If this were applied 1:1 to LSL as a 'script permission', and putting aside the issue of breaking almost all existing content, I don't think adding a 'hey can I have permission to show you a message?' prompt before certain kinds of messages would help anyone.

[Love Zhaoying]

8 minutes ago, Quistess Alpha said:

36 minutes ago, Love Zhaoying said:

"You must have Message special access permission to send a message."

If this were applied 1:1 to LSL as a 'script permission', and putting aside the issue of breaking almost all existing content, I don't think adding a 'hey can I have permission to show you a message?' prompt before certain kinds of messages would help anyone.

That wasn't my point, but I don't disagree.

I started out trying to explain that "Hey, in Windows you used to be able to send random people on your network a message"..but you still can!  The fact it is restricted now is just incidental.

Idea: Add to ALL llTextBox() input boxes, a message somewhere that "Linden Lab will NEVER ask for your password".  lol!

[Arielle Popstar]

4 hours ago, Innula Zenovka said:

To my mind the numbers are likely to be pretty small, and I think it would be a complete waste of time and effort to revise the compiler so that, in order to prevent a phishing exploit that hardly ever occurs,  it has to make an external call to LL's servers to establish the PIOF status of the script's owner whenever it encounters llTextBox.

The phrase "taking a sledgehammer to crack a nut" comes to mind.

The numbers are big enough for both Firestorm and SL to be making mention of it on their splash pages and social medias. The Lab isn't known for its transparency so not surprising it hasn't been mentioned until they had a somewhat solution with the multi-factor authentication that is now being pushed hard. For me it begs the question though of why I would want to give them even more personal information when I am not so impressed with their handling of the info they already have. Is it going to be data available for bots to scrape in a new hack or scripting exploit?

If the ever increasing bot issue is any indication, there will now likely be even more copy-cat phishing attempts done in similar ways so to my mind it is better to use the sledgehammer while the issue is only a nut rather than wait till it is something much harder to crack.

[Arielle Popstar]

6 minutes ago, Love Zhaoying said:

Idea: Add to ALL llTextBox() input boxes, a message somewhere that "Linden Lab will NEVER ask for your password".  lol!

And yet Linden Lab does ask for my password when i log into the viewer or the website, even the in viewer browser. This for those unaware is just an additional asking from what could easily be determined as an authentic source, being it is in the Viewer itself.

[Innula Zenovka]

56 minutes ago, Arielle Popstar said:

The numbers are big enough for both Firestorm and SL to be making mention of it on their splash pages and social medias

A considerable number of people doubtless received the fake messages, and a considerably greater number (including me) didn't see the actual text box but  heard about the exploit  multiple times in various groups, as people became aware of the incident and posted about it (and then read about it in one group, and posted about it in several dozen others, at which point even more people... gave a demonstration of how things spread virally).

I don't remember this ever happening before.  Do you?

From this I conclude that this exploit must be pretty rare.   Or perhaps it's a common occurrence but, for some reason, no one has ever thought to publicise it in groups or the forums before.  

Which do you think is more likely?

Edited April 14, 2023 by Innula Zenovka