Anyone else get an email like this?

I got the same email... it looked quite good, until I read this line
'After 30 days your account will go defunct and you will lose any inventory, land and
L$ associated with the account.'

'DEFUNCT'???? not a word I have seen used by any information supplied by LL and is potentialy a 'regional' word not associated to their neck of the woods lol...

Screwed.. Borked... f**ked and more yes.. but not Defunct lol.. gimme a break.

They probably don't have the in-house capacity to handle the possibly hundreds of thousands of emails that might some day need to be sent out. It isn't uncommon at all to use 3rd party services for mass emails. If you notice, the only "3rd Party" URL in the email was simply a link to the support page at secondlife.com. It hits the email provider first, so that clicks can be tracked, which is essential if the client happens to be in the business of email marketing, then it redirects to secondlife.com. There are no other 3rd Party URLs in that email. It instructs you to go to secondlife dot com and log in manually to your account details.

I just don't see anything unusual or inappropriate about this.

Markubis,

Recently LL started de-activating alt accounts based on criteria they did not publish. So, when one receives an email stating there is a problem, but not stating what the problem is or even specifying which account has the problem, that is cause for concern. Particularly for those who have hundreds or thousands of dollars invested in their accounts.

Prior to this thread I did not have confidence that re-entering the same billing info I already provided would actually solve the problem. So, you see, this thread has been valuable. I learned what the real issue likely was (the security code), and now have some confidence that I'm not still in danger of losing an expensive account.

Understand now?

No, it was a link to a third-party website, which gets auto-forwarded to the SL site. The problem with this is that there have been ways to spoof the URL box in browsers (particularly IE), so you can not have confidence that a site that says it's SL actually is SL unless you got there by your own typing or bookmark, and not via a link in an email.

To compound the problem, when you follow the instructions you are led to a page that tells you that by clicking the button to update your billing info, the old info will be deleted wothout you being able to view it. That is, you get no confirmation that this site already has your info, so you might suspect it's a spoof.

That is, "go here and enter financial information" is a red flag for fraud. People are just exercising due diligence by questioning it.

I was convinced it wasn't a spoof because the non-billing information they displayed seemed legit, but in retrospect, how many people know their billing date and linden dollar balance? That info could just be a fraudster's guess.

Text email is not high-bandwidth by LL standards. Fly-by-night spamming operations have had this capability for a decade, so I'd expect LL to have this capability.

What differentiates this from a phishing expedition is that they didn't give you link to click to enter your new payment information. They asked you to go to the webpage yourself.

The rest of my post explained how that 3rd party link worked, and what its purpose was. You took this just a whee bit out of full context.

And by following the instructions, you are directly pointing your browser to the secondlife.com website, and logging in. I fail to understand how this could possibly be construed as a spoof. It would be akin to being instructed in an email from my bank to drive to my nearest branch and fill out a form to update my account info. Am I not to trust this process, being that I'm instructed to go directly to an official branch, and provide information to them?

There is more than enough transparency in that email to have a reasonable expectation that it's legitimate. The last time one of these emails went out, we had the same "ohmygod scam" threads, and LL assured us in the blog that they were legitimate. Now we're going to do this all over again?

Probably. Unless they do something technologically advanced like running a limited SMTP server at LL.com so that mail generated by vresp appears to actually come from LL.

I suppose LL could lease an IP address from vresp and point their own DNS name at it. So they could continue to use vresp for the mass mailing, and avoid the name confusion.

There was also a link in the email. You should never follow links in an email in order to enter financial info, but people will do it, anyway.

How to scam SLers...

Send an email asking for financial info. Make it look transparent by not offering a link for account info, but instead offer one for support. Don't disguise the link address.

Once on the "SL" site, the user will click the "My Account" link to log in and enter financial info.

Allow the user to "log in". Use the name they enter on all subsequent pages. Ignore the password they use, or better yet, log it for future use.

On the account summary page, provide the following information.

1. Account name. The user gave you this when she "logged in".

2. Your current plan: Premium Annual
3. Your billing rate: US$72.00 Annual

This is a guess. It will be correct for thousands of people, and many thousands more won't notice.

4. Your current status: Active

This will be true for everyone who matters.

5. Next Bill Date: Thursday, February 21, 2008

Most won't know their bill date precisely, and many who know it approximately won't notice it's wrong.

6. Credit card type: MasterCard

The most common, and therefore the best guess.

7. Linden Dollar balance: L$4,442

Most don't know this number. A four-digit number will look legit to a great many.

8. US Dollar balance: US$0.00

This will be true for most.

9. Allowed holdings: 1,536 square meters

Linden gets this wrong, so anything you put here will look okay.

10. Current holdings: 512 square meters

This will be true for many, and others won't notice. You don't want to guess more than this because then you have to make up tier billing numbers, too.

11. Available for purchase: 1,024 square meters

Again, LL gets this wrong, so anything goes.

12. Peak square meter usage: 512 square meters

Duplicate from above.

13. Total monthly cost: US$0.00

Consistent with above

14. Next bill date: Friday, July 15, 2007

Some time in the next thirty days. Most don't know their tier billing date.

There. You have an account summary that will look legit to perhaps five percent of premium account holders, and another twenty percent won't even be suspicious. Get twenty five percent to give you their financial information and it's been a good day.

Next, the customer hits the "update payment method" link, as your email instructed. Here's the clincher: Conveniently, you don't have to do any more guessing, because LL won't show customers their own billing info, so you don't have to, either.

Probably would be a good idea, considering how many new people show up each day, and many aren't as knowledgeable to the intricacies of Email routing. Although the announcement at logon helps those that going inworld before doing anything else I guess.

And once again, may I please point out that the email DID NOT contain a hyperlink of any sort to any place asking for sensitive information. The ONLY link on that email points you to the support portal for information should you have difficulty. For the actual payment details update, you are instructed to manually point your browser to secondlife.com, log in, and submit your updated payment information. This is really fun doing this on two concurrent threads.

Zaphod: Doing this is really annoying me.
Brenda: Then stop doing it.

You're absolutely right. I think I need to seek professional help. Are you by chance a licensed therapist?

But you said the email contained enough transparency that you could trust it. So, you click on the link they provide, and conveniently it takes you to the SL site.

Or

You know that the support portal will give you access to your account, so you click on that link.

So? If it ends up on secondlife.com, what does it matter?

If the link took you to, say:

http://www.secondlife.com.joes.basement.hax0r.org then I'd be a little curious about it

If you're on a Mac and using Opera you can probably trust the URL box on your browser. Not many phishers will spoof Opera on a Mac. Too small a target audience.

If you're on a PC running Internet Explorer, though, you should never trust the URL box unless you typed what's there.

And if the URL is

http://secure-web0.secondllfe.com/community/support.php

how many will notice they've been spoofed? Heck, if it's

http://www.secondlife.com.joes.basement.hax0r.org

how many will notice?

[checks secondllfe.com, finds it available]

LL should probably grab that

Good points. I'd think at some point though, people should take responsibility to know exactly what website they're punching in financial details to. To my knowledge, and someone correct me if I'm wrong, the address bar itself can't be scripted or spoofed. What's there is where you're at. If you land at a site ending in secondlife.com, and in fact it isn't a valid secondlife.com server, better call your ISP, because their name servers have been hacked.

Yes, the email side links CAN be spoofed to appear to be valid secondlife.com links, but once that address is loaded into the browser, the true and correct address will show in the address bar.

But generally, as for "how many will notice", well, it is, after all, *our responsibility* to notice these things.

Yes - and we will continue to have them until LL changes its policy.

An e-mail purported to come from a company about accounts/billing but which comes from a different domain in the e-mail address than the company it is purported to come from, and which includes a URL with a different domain are the classic signs of a phshing scam, and are exactly the signs that people are warned to look out for, and question.

So everytime, an account/billing e-mail goes out which isn't directly from LL, people will seek confirmation that it is legitimate via the forums or via support, which wastes everyone's time.

As regards your points that the e-mail contains instructions to access the billing pages which do not include a URL, and the URL actually goes to the support site - these are precisely the lengths that recent phishing attempt go to in order to look convincing (hoping that you will click on the link anyway where they have mocked up enough of the support pages that you follow the links to the account pages from their and end up on a fake account page).

As regards that the URL redirets you so that you can see which site you are on from the URL box in the browser, there has been at least one exploit whereby IE could be fooled into displaying a different address there than from where the page had actually come from.

Matthew

Thanks. Yet another reason to use Firefox I guess.

Edit: This was patched a year ago.

Don't count on it not happening again.

Again, patched as of 1.7.2.

Again, don't count on it not happening again. There may be an unpatched exploit right now.