Thursday, April 6, 2023

New Phishing Scheme on The Firestorm Viewer

 
There is a new phishing attempt that surfaced today. A dialog box will say you are about to be logged off, and that you should enter your password. Obviously you should not enter your password, but instead file an abuse report against the sender.
 
From Team Firestorm 

Image credit: Duchess of Trikassi

Correction: The scam does not appear to be limited to Firestorm, but may appear on any viewer.

4 comments:

  1. I think, it's not really "Firestorm"-specific.
    As the Firestorm-Viewer is the most preferred 3rd-Party-Viewer ... it is just "named" or from the text in the script written that way and a "blind guess" the most will use viewer.
    But I think, some people even will just read "Uhhh ... logged out? MUST ... ENTER ... SOMETHING."

    Mainly it's just a simple Textbox-input.
    In the shown example, the owner of the object with the script is "FirestormViewing" ... and the Object is name "Firestorm login".

    ReplyDelete
  2. On Firestorm? More so targeting Firestorm calling it a Firestorm login and what the user called themself in the picture, beyond this really nothing to do with firestorm beyond assuming the targeted user is using Firestorm, and that someone on the Firestorm team pointed it out to you.

    This is the function:
    (Its completely built into LSL and can happen regardless of using firestorm or not.)
    llTextBox( key avatar, string message, integer channel );

    key avatar - UUID of avatar you want to pop up the box for.
    string message - the message you want displayed on the top of the dialog box.
    integer channel - the channel you want the message on when the user hits submit, if this isn't 0 its the equivalent of a command that starts with slash and a number.

    here is an example:

    default{state_entry()
    {llTextBox(llGetOwner( ),"Sup Man, this isn't a firestorm thing!",0);}}
    //I'll leave out the other part that makes this dangerous.

    Its just really basic script kiddy stuff and effects all up to date modern viewers, and I want to clarify that this doesn't exclusively happen on firestorm. Furthermore you will never be asked for your password in the viewer session after login. So always remember at all times the Password to these is SodOffTossPot42.

    https://wiki.secondlife.com/wiki/LlTextBox

    ReplyDelete
    Replies
    1. Well described.

      I think, the use of "Firestorm" is just because of the thought like:
      "The most users will use that Viewer, so we put that name in and match the most."

      Maybe the viewer can be detected trough the "Bridge", but I think, that smart them aren't ... or not put any work in that situaion.
      Also you can't change the User/Owner name ...
      ... so more "fast spam all and see what you get".
      I think also, LL will monitor new accounts for Something like "Viewer" and other "suspicious" words.

      Delete
  3. The problem with any form of 'spam' is that it is incredibly cheap to send out reams of this stuff, just like junk mail in your mailbox or spam mail in your email (those of us who remember fax machines had to deal with 'junk faxes' too).

    One person replying is enough to justify the whole scam... and then that's another compromised account that can be used.

    If memory serves, all viewers go to "grey screen" when connection is lost or logout has occurred, and have a "View Chat" and "Exit" dialog choice. In addition, if you're being prompted to leave a region that's about to restart, you get the gong and the screen shake. Objects can't be paid unless you grant them permission, and that dialog box is a different color than what most scripts can produce.

    All of these are safety features that delineate real actionable events from fakes.

    ReplyDelete