My account was hacked.

[Knowl Paine]

In every scam, the criminals need to Cash out.

At some point, the money is sent from Pay Pal to a Bank. Delaying that process would be a good start. 

Prosecute the people LL has caught.

Educate Residents.

When LL finds a scammer, confiscate any L$ in the Account, and place the L$ in a Victims Fund. Eligible Residents would receive a weekly stipend until a time when all of the L$ has been recovered. A shared recovery system could help the greatest number of Residents who have suffered a loss.

Create an SLDIC. Second Life Depositors Insurance Corp.

Create an additional button on the Viewer that will allow Residents to confirm if a LL web link is an authentic LL Link. The "safe-link" inquiry would route through LL and would only approve when the internal server confirms that the link does direct back to the internal server. It calls itself through the Viewer. I hope that makes sense. Not sure if it would work. Just an idea.

 

 

 

 

Fun d raiser?

 

 

 

[Sommerland Starostin]

---

Ariel Vuissent wrote:

Unfortunately the only way LL can protect us right now is to advise us to never click any links outside of the official LL site. Lately, whenever anyone posts a link to an item they think is cool, I ask for the item name and look it up myself. Plus, my account usually stays logged in, so if I have to log in to the marketplace, I make sure I'm on the official page before I do.

All things considered, we are fairly safe. The only way anyone can get into your account is if you share your password - in SL, online anywhere, or via a phishing website. On LL's end, things are fairly secure, or so it seems to me.

I would definitely change your password, and the linked email address IF the password to that is the same as or similar to your SL one. That way they can't come back later and steal more $L, or use your account to trick other people.

---

Very good idea, go to the item yourself. Don't accept links, even from friends. Thanks for the tip!

 

[Venus Petrov]

It is unfortunate that you and others have experienced this.  I did not read this in the posts above but another suggestion is keep only a small amount of lindens in your main avatar account and load off the rest to an alt.  The alt, of course, will have an entirely different password.

[MasoDevotina]

That only works if the user of the alt account doesn't click any suspicious links ...

If somebody clicks suspicious links in the main account, the chance is that they do the same when they use their alt ...

Somebody wrote about educating the users, and that's the only thing that really helps. Passwords will be stolen as long as people click on a link just because it can be clicked and then enter private informations without thinking first just because they are prompted to.

 

[Ariel Vuissent]

I think - though I'm not certain - that in Venus's suggestion, the alt would be an unused one - basically a "mule" used solely to hold excess $L. The owner of the accounts would log into the alt, send $L to the main account, then log off again, and would not be in any groups, have any friends, etc. At least, this is the way I would do it.

[Aurelia Lionheart]

A lot of people who have a lot of L$ do this, using an non active Alt. Shop owners, people in de "entertainment" industry. So why not, sounds like a good idea if you have more than a few L$. Or have LL come with a different way to "store" your linden, with some extra security.

What also bugs me.. .this fake login page seems to be in the air for weeks now. Or even months.
As I said before, it would be so simple for Linden to post a warning on the Viewe log in screen.
They are a quick as it gets when they think they have to block your account for some reason.. but with things like this.. NOTHING! Things like this are really bad for business. I've seen people loose entire sims, they've been building up for years due to this scam.

Sure you could say they should have been more careful. But a mistake like this is easily made, especially if you get passed on links from people you have know for years and even may know RL

Linden seems to be jumping on you as soon as they think you have done something wrong, then nothing is impossible.. but a simpel thing as warning people .. anyway you get my point.

I think SL is a great game / medium and I do enjoy what Linden has made possible for us. 
Only thing I can't understand is how they keep investing in all sort of things, except for a good communication between provider and client. 

 

[Dilbert Dilweg]

---

LoveAngeL Lyre wrote

---

Unfortunately yes i did. And i did because it was a post which spammed a known group by my virtual sister (who as i said her account was hacked too - i mean someone else was posting with her account) so i would never thought that it was a trap. Thanks for your reply Aurelia.

On the other side my question remains. How Linden Lab can protect all the

unsuspected residents? It could be happened to anyone.

---

It can happen to anyone, anywhere. any platform. I think you should just take better evasive actions like not clicking spam links in world. and maybe think about having a alt account as a banker. Entirely secrate account that you never use or log in except to send your self money. Make the password incredibly hard to guess, and lock down your viewer to where your password is not saved,

Linden Lab could adopt more risk api flags like for instance. If your avatar send copius amounts of money to another avatar and your IP suddenly changed to one out of the ordinary then the moneys should be blocked for 24 hours.

[Sommerland Starostin]

I never leave a lot of lindens with my avi, one reason is it stops me from clicking and buying something horribly expensive by mistake lol , however if someone had my login information they could BUY lindens thru my avi. I think you should only be able to buy a certain amount of lindens while being online in Secondlife and after that you must go to the website and then be prompted for a second unique password to purchase more lindens.

[Venus Petrov]

---

Ariel Vuissent wrote:

I

think

- though I'm not certain - that in Venus's suggestion, the alt would be an unused one - basically a "mule" used solely to hold excess $L. The owner of the accounts would log into the alt, send $L to the main account, then log off again, and would not be in any groups, have any friends, etc. At least, this is the way I would do it.

---

You are exactly correct Ariel.  I have an alt I use for one purpose inworld and she comes out on limited basis to collect and disperse funds from and to me.

[Marigold Devin]

Hello, Love, what a dreadful thing to happen to you, and how easily this can happen.  Everyone on your friend list of course is also at risk, because the scammer undoubtedly will have sent out messages to people giving the same bogus link.

As others have said in this thread, LL do need to put something on the log in screen, as my bank does, to warn people of phishing scams like this one, but honestly I think the way the scammers did this to you, a lot more people will have fallen for it, rather than if they had spammed via email.

I hope you have informed LL of all of this; they really need to act on it. 

The points made in Knowl's post (message 26 in this thread) are good ones; the money will be sent out from scammer to bank at some point.  This is a real crime. 80,000L$ from you, and however much from all the others, that's quite a money making scheme!

I've missed your presence on these forums for the past few weeks too, I just wanted to add that. 





[LoveAngeL Lyre]

Thanks for your sweet words Marigold, Luc and all others for your replies and suggestions. I am waiting still a reply from LL and when i have it, i will inform you here.

[PudgyPaddy]

I understand you wrote they only stole your L's, and left your password intact, but I would also look into my GROUPS to ensure that nothing was tampered with e.g., enrolling you in a group that collects a large fee and/or liabilities.  There are many hacks that could have been perpetrated after this compromise, check them all.  You may not be out of the woods yet.   

 

[Sveva Pennell]

Hello, I have been a victim of phishing too, on 15 th March 2012. I clicked on the same link to marketplace, and inserted my username and password, but in my case htey have changed my password so I couldn't log in anymore. I logged with an alt, and I saw my avatar going around... I immediately wrote to LL and they disabled my account: I have had it back after a week.

I had 8450 linden, and I found zero. From the transaction History I discovered that all my money had been spent in 3 minutes in a shop, to buy 6 identical skins, just in different tones, and a shape, all no transfer. I immediately called the merchant to ask my money back: if she were in good faith, she would had understood it was not me, who had bought so many skins in 3 minutes, but her behaviour has left me really suspicious: even if it was absolutely clear she was keeping stolen money, and without asking me more details, or to prove what I was saying, she has refused to give my money back . I have met lots of sellers on SL during these years, and it’s the first time I receive a response like “it’s not my problem if someone stole your avatar and gave me all your money”.

It may be she is only money-hungry (in my country keeping money coming from stealing is a crime… what about SL?), but if she receives money from all the avatar victim of phishing as mine, she may be involved with the hacker. It could be a artful system, to simulate a regular sale, to share the booty. In fact, it is what she says not to pay me: “the avatar has bought no transfer skins, so I keep the money!”. A hacker could be easily discovered if he sends the money directly to his account, but if he uses this method and shares with the merchant he appears “clean”.

I think these robberies shouldn’t happen on SL, because make people afraid to buy lindens, and I really think Linden Lab should create a system to rescind purchases that haven’t been made by the legal owner of the account. A honest seller would have recognized the strangeness of that hasty purchase, but it’s evident that not every merchant is honest, and residents are subject to merchant’s loyalty. If this merchant is not a confederate with the hacker, anyway she has decided to take an advantage from my bad story keeping all my stolen money, and I can’t do anything to retrieve it.

If every hacker who steal an account goes and spent all the money in that shop, they will both obtain easy and illegal gain. When a crime is done, the first question to answer is “who gains?”. The paradox is that, perfectly conscious of the truth, and with my money in her hands, this seller has accused me to be a liar, to bother her, to have tried to “extort” her MY money. It would be funny, if it was not illegal!

I am not sure if i can put the name of the shop here, but if anyone wants to know, I will tell him in world.

Be careful, because we are not protected at all from these accidents.

[Irene Muni]

---

Sveva Pennell wrote:

(in my country keeping money coming from stealing is a crime… what about SL?),

---

??

I don't understand.

If you steal money from your mother and with that money you buy me a piece of gum, your mother can not claim me the money.

[Phil Deakins]

It does sound like the thief and the merchant are either the same person or they are in it together. After all, why would the thief spend the money on things that only you can use? The only benifciary in the theft is the merchant. If the merchant isn't the thief, then setting up such a phishing scam to gain nothing is highly unlikely.

But suppose the merchant isn't involved in the scam. Since you have the skins, and they are not transferable, you can't return them to the merchant for a refund and, if the merchant refunds your money, you have a set of free skins. If the merchant isn't involved in the scam, it's unlikely that s/he would refund the money. Without confirmation from LL that the theft actually occured, s/he only has the word of a stranger (you) to go on, and people do try to cheat merchants by lying.. As a merchant, I would not be inclined to return the money in those circumstances. For instance, a person could buy something and then see something somewhere else that s/he likes better. So the person invents a story to tell the merchant, hoping that s/he can get the money back. It does happen. With no-copy, transferable items it's not a problem, but with no-transfer items it is definitely a problem, and I wouldn't refund the money. In your case, you need LL to tell the merchant what happened.

ETA: I don't see the merchant as being "money-hungry" at all. If the merchant in not involved in the theft, then I see the merchant as not wanting to be cheated, which is very understandable and wholly acceptable. If s/he is involved in the scam, then s/he is the original thief, or one of them.

[Eileen Fellstein]

Hmm. 6 skins and a shape that total 8450 -ish?

That's 1200 L$ skins likely.

I don't know how many upstart skinners are selling for that price but I would think not many. Established places get enough business as almost every person who plans to hang around more than a few days buys a decent skin at some point. There's no motivation for a reputable merchant making good profit to risk their account by stealing an avatar to launder a few dollars worth of linden.

Whoever did it though knew exactly where and how to waste your money in a very short amount of time. And they knew SL well enough to know how no transfer stuff works and that a refund would be unlikely. They also know how to hack.

My 1st thought is who do you know that don't like you? My 2nd is who is disgruntled enough with that merchant to try to pin something like this on them?

I'd still be inclined to believe you might wish to check your own back yard for possible offenders before asserting that it was this merchant. Moreover it sounds like greif aimed at you specifically more than any ongoing phishing like described in OP's post, though they may have used similar methods to do the hacking.

As far as your money goes, this skin designer has the opportunity to do what I consider to be 'the right thing' if they can verify you were indeed hacked somehow, and could possibly win a loyal customer in so doing. I can understand their skepticism hower.

[Sveva Pennell]

Phil, Eileen, I understand your point of view, about merchant's scepticism. That's why I complain that on SL we are not protected at all, and are left to merchant's willing.

Off course I would never claim or even hope that a rule obliges merchant to give your money back just because you tell him they have stolen your avatar, but if you can prove what you are saying, if you have reported it immediately to Linden Lab, if they have verified they have really changed your password and connected with another IP from another part of the planet, I think we should be more tutelate, and have the possibility to ask to rescind the contract.

I dont know USA rules: in Italy if you prove that there has been a substituion in your person, or that your agreement has been extorted with violence, and so on, you can rescind the contract and have back what you have paid. Obviously if is it possible you have to give back what you have bought, if not you should simply compensate the real loss of the adverse party. On SL everything is more complicated, because you don't buy real goods. In fact, when you buy a dress, or a skin, the merchant give you simply a copy of it, and he doesn't lose it, so he has no real economical loss at all. Moreover, if he decides to sell no-transfer items, he knows he will never have his copy back. In a case as mine, I will be obviously happy to give those skins back, but it is impossible. Maybe LL can definitively delete them from my inventory, I don't know, and I will be disposed to that.

Honestly I don't feel enough protected, if anyone can force my password, use my avatar and spend all my money and I can't even try to demonstrate it was a fraud.

About merchants, I can easily imagine how many people try to cheat. However, if I were a seller, and if I see that somone who had never been in my shop or bought my products, come in the shop and, without even trying a demo, in 3 minutes spend 8450 linden to buy 6 identical skins, from pale to dark tan, I would find it quite strange...

The fact that commerce in SL is made without any rules, is potentially dangerous: knowing that, a sharp hacker could open a shop just to recycle dirty money, selling no transfer items to stolen avatars,and keeping their money. That's why I think Linden Lab should deal with this problem, and offer some chaches to retrieve the booty, to put this insidious method off.

To reply to the one who asked me about crime, yes, receiving money coming from a theft (even if you have not concurred in it) is a crime (I can translate it as money-laundery) if you know the money has been stolen. If the merchant is in good faith, and someone goes in a shop pretending to be me, and buys something, I have a civil action to rescind the contract.

Anyway after this experience I feel really unsafe. Apart from money, if it is so easy to steal a password inside SL maybe they could steal other important data, and use them improperly. :matte-motes-frown:

[Eileen Fellstein]

SveVa, actually even with a no trans item, the merchant still retains a full mod copy (for them only). The no trans part applies to 'next owner' (you in this case). You can't give it back but they still have it too and could pass out as many as they wanted if they chose. That's why I said they have the opportunity to do the right thing if they find your position believable. Their side is why should they have to hand back money from sales every time someone yells 'hacker' or woops I bought the wrong thing' or 'my dog ate it'?

Problem is they, and not even you are privy to what the Linden's found out on an IP check. They customarily never give a report on their findings to the complainer. Probably if they can link it to some pattern involving that IP, they could arrive at a conclusion as to who it most likely is. It would still actually prove zero because nothing short of a RL eye witness puts that person at the keyboard. There could be several people at that location with SL accounts and/or internet access. So ultimately it would be up to LL to make the judgement call on it.

[UncommonTruth]

---

Knowl Paine wrote:

In every scam, the criminals need to Cash out.

At some point, the money is sent from Pay Pal to a Bank. Delaying that process would be a good start. 

Prosecute the people LL has caught.

Educate Residents.

When LL finds a scammer, confiscate any L$ in the Account, and place the L$ in a Victims Fund. Eligible Residents would receive a weekly stipend until a time when all of the L$ has been recovered. A shared recovery system could help the greatest number of Residents who have suffered a loss.

Create an SLDIC. Second Life Depositors Insurance Corp.

Create an additional button on the Viewer that will allow Residents to confirm if a LL web link is an authentic LL Link. The "safe-link" inquiry would route through LL and would only approve when the internal server confirms that the link does direct back to the internal server. It calls itself through the Viewer. I hope that makes sense. Not sure if it would work. Just an idea.

 

Fun d raiser?

 

---

 

Brilliant.

[Phil Deakins]

I agree with what you wrote, including the part "if you can prove it [to the merchant]".and that's the problem. Unfortunately, you are unable to prove your story to the merchant, so the merchant has no way of knowing whether or not you are trying to cheat him/her. In fact, from a merchant's point of view, your story seems implausible. A merchant would wonder why someone would hack an account and spend all the money on things that s/he won't be able to use, because you would obviously get your account back and you, not the thief, would have the goods.

From the information in this thread, the most plausible scenarios are (1) the merchant is involved in the theft, and (2) the hacker is someone you know, who did it as an action against you personally (somebody mentioned that posiibility earlier).

[Eileen Fellstein]

I had an interesting thought. Sveva wrote this...

 

" I logged with an alt, and I saw my avatar going around.."

 

Going around to where? walking around your parcel or you could see them on the map w/ permissions? If the later, could teleport history be checked?

 

Perhaps they were after some things Sveva owned. I mean they could have gone to their own parcel and placed any number of things.

[Dilbert Dilweg]

By the . people can also hack your PC and control SL from your PC. Dont save passwords for login

[Sveva Pennell]

I could follow Sveva in two lands, because my alt had the possibility to see her on map. She went first in a land with nothing, and then directly to the shop where she spent all the money. As I called her, the hacker discovered I was following her, and deleted the possibility for me to follow her on map.

About the prove of the theft, Linden Lab can't discover it?? I had opened immediately a ticket, and I thought they knew exactly what happened to my avatar, or not? And another question: can't Linden Lab delete items from our inventory? In that case they could delete no transfer items, not to leave goods to whom who hasn't really bought them.

Anyway, your comments have made me think about all the story. I have been on SL since 2007, and I really have not many enemies, but surely I have met some strange guys... maybe they were hackers? The other possibility is that the hacker simply wanted to waste my money for a silly game. O_o

After this experience I think both merchants and customers should be more protected in their affairs, it would be important for both, because if people know they can easily lose all the money without any hope to retieve it, they would buy less linden, and less goods, and so on.