Scam to get username/password

Yes, I know, this is for resident answers, but this is indeed dangerous so I'm hoping it'll pass through.

An hour ago this was posted on a group I'm in:

[2:19] N* S*: http://criptonsit.altervista.org/SecondLife/FreeLinden/Login=username&password/ Free Lindens for only 10 min there

(name obscured to comply with forum rules even though this scammer's name should be known as a warning, sigh...)

The dangerous thing about this is it leads you to a site that looks EXACTLY like the official site and suggests you can just log in the usual way. Only if you pay close attention to the url, you see that it can never be LL's site. So, yes, there probably are free lindens involved - for the one who clears out our accounts...

One real question to add might be - yes, the guy has been subjected to multiple ARs. Anything else we can do?

Strife, any way we can make an exception to the usual rules for this problem ?

Wow, why isn't this guy banned yet?

1) File an Abuse Report IMMEADIATELY, if not sooner. That is a obvious phishing scheme (ro whatever they want to call it these days) with the sole purpose of violating LL's ToS on compliance with Privacy and Password Security.

2) The name of the person/group realy isn't needed. NEVER NEVER NEVER NEVER NEVER NEVER give anyone your password in-world, or by any in-world notice/IM. Period. Any e-mail from LL asking for your password should be confirmed by other sources BEFORE giving LL such information. When LL does this, they usually post in the Blog that they are sending out such e-mails and why. If it is account specific, file a Support Ticket to ask if the e-mail is valid BEFORE sending it out.

3) NEVER give anyone your password.

4) Never give anyone your password.

And finally,

5) NEVER give anyone your password.

~Jessy

Strife isn't empowered to make decisions and gets cranky when you ask him to.

Here's how I'd approach it (in no particular order):

- Send mail to [email]security@secondlife.com[/email] on the off chance that they are more responsive there than on the abuse team.

- Get someone with announce privilieges to post a group announcement saying that Full Name is posting scam messages. Respond to every phishing post with "Watch out Full Name is going to steal your account information and eat your puppies". Entreat your fellow group members to do the same.

- Post Full Name's name here. Remember, Robin Linden said that we need to "keep second life safe, together". If they won't do their part you have to help them out because it's like a "together thing", you know?

In this case...

The guy's name was Nike Sosa, but the team seems to have responded pretty quickly for once - no longer listed in search.

Weird thing was, yes, it was a new account (10/10) but payment info used so supposedly a premium member.

Guess they got ARs raining all over the place.

In case you don't know, suspended avatars disappear from the search listings just as banned avatars do. Nike Sosa might be back in 3 or 7 days. Worse, if he was able to trick a couple of people out of their passwords, he may be on as them regardless of his suspended / banned status.

Payment info used only indicates that someone has payment info on ifile and used it at one point or another.

As an aside, I doubt scammers of that sort are scamming under their own account. It could be that the person you saw was someone who already fell for the scheme and got their account stolen from under them.

In which case you would have just ruined an innocent person's reputation if they manage to sort things out and return.

FTR, "Payment info used" doesn't mean premium member. It just means that they have given payment info to LL and have bought at least a few Lindens.

The good thing about that is that LL will have either a PayPal or CC with which to track this scamming idiot.

The more awareness we can get that we shouldn't be giving our SL passwords to anyone that isn't 100% Linden Lab, the better. That's one of the reasons I won't use third party clients and chat tools.

In which case I would apologize openly and with all my heart. Until then, I think it is important to let people know about this because the mentioneed website looks so very much like the original it's scary.

I wasn't questioning your general warning .

But the name is fairly irrelevant, it doesn't matter if you get an IM from Philip Linden asking you to go to www.xyz.com to sign up to a preview of SL v2 (and it asks for your password), you just don't ever do it.

And if everybody already was familiar with that principle, we'd not see warnings about phishing, but we do, therefore not everybody is as wary as one might like them to be. In fact, people are generally more trusting in all realms than perfect reason suggests they should be; thus our language contains "scam" and "con" and "liar".

The name is partly irrelevant, but our parcelling of the world does far better with "watch out for Malachi, he's a cheat" than with "someone might cheat you". Because of how we are constructed, the former is much more resonant than the latter.

Unfortunate, but true. There is a balance to be had between being overly trusting, and overly paranoid. Once a person gets too comfortable with the feeling that they've struck that balance, and forgets vigilance, they're going to have trouble.

And yes.. watch out for Malachi. There is no more dangerous miscreant than a gentle one.

I've sent an email to the abuse email address for altervista.org explaining that this website is a password phishing scam and asking that the webpage be shutdown.

May not help but it can't hurt to try.

Now, maybe if we all went to that site and entered 10 fake names and passwords we could at least cause a little grief for this lowlife.

no no no,

let me deal with it...

can i have everyones usernames and passwords please , and i'll start investigating immediately

The links even send you back to the real site. O.o

Yeah right, SL v2 during our lifetime, like anyone's going to believe that!

I've often felt it was dangerous that the SL web site requires the same password as SL itself. That's really against the rules of safe computing.

Not to mention that your login name is public knowledge unlike many commercial online services. Since your credentials - login name and password - are your "secret" access to your account, SL has already given half of that away. There's a reason that the fingerd protocol isn't used any more: because getting a user name from random hosts is the first step of a security attack

Even better is that the forum password page is a non-encrypted (non SSL) regular HTML form that sends your password in cleartext to LL.

Edit: the forum password page sends passwords in weakly encrypted form, not totally unencrypted. See /327/a0/217613/1.html#post1723619 for details.

Gaahhk ...

I keep trying to use this...

http://criptonsit.altervista.org/SecondLife/FreeLinden/Login=Philip%20Linden&password=TheGovenator/

...but just get page errors.

Is the site down already?

It's still there sadly.

I looked at the HTML and found "Bub Linden can has cheezburger?" ... whether that's in the original page or not I don't know.

Broccoli

Whois info on the altervista.org site:

It appears to be an Italian web hosting company. There is an email address that can be used to complain about this. [email]info@altervista.it[/email]

Domain ID49746541-LROR
Domain Name:ALTERVISTA.ORG
Created On:22-Dec-2000 18:05:39 UTC
Last Updated On:28-Sep-2007 10:02:10 UTC
Expiration Date:22-Dec-2010 18:05:39 UTC
Sponsoring Registrar:Tucows Inc. (R11-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:tubqZlQoVJWpxHQl
Registrant Name:Gianluca Danesin
Registrant Organization:AlterVista s.r.l.
Registrant Street1:Via Fleming 15
Registrant Street2:
Registrant Street3:
Registrant City:Torino
Registrant State/Province:TO
Registrant Postal Code:10135
Registrant Country:IT
Registrant Phone:+39.0113486461
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:info@altervista.it

Ummm... what forum password page?

I can only get into the forums by logging on to the normal SL web site. If I'm not logged on there, I get a page saying I need to log on there, with a link to the normal SL web site logon page (which my browser says is secure). I even tried the forum "log out" button, but I still get sent back to the normal web site to log on.

Where is this unencrypted forum password page?

For me it appears at http://forums.secondlife.com/profile.php?do=editpassword
which is reached from the forum "User CP->Edit E-mail & password".

However, I just checked the page source and found that there is javascript which only sends unsalted md5 hashes of the passwords, not plaintext. Except unsalted md5 hashes are highly vulnerable to dictionary attacks. So I've upgraded my evalution from "completely unencrypted" to "almost unencrypted". I'll patch up my earlier post.