Scammer Warning

topdog91

Great suggestion. More and more people are getting used to MFA as an essential part of a modern security posture as an inevitable consequence of the eternal race between good and evil. In fact ISTR TGP implemented it after some security scare or issue a few years ago.

It doesn't have to be mandatory, but users could be strongly encouraged to use it. It also doesn't have to be that annoying, only necessary when logging in on a new device etc.

Shame Vanilla doesn't support it.

digitalscream

topdog91 said:

Great suggestion. More and more people are getting used to MFA as an essential part of a modern security posture as an inevitable consequence of the eternal race between good and evil. In fact ISTR TGP implemented it after some security scare or issue a few years ago.

It doesn't have to be mandatory, but users could be strongly encouraged to use it. It also doesn't have to be that annoying, only necessary when logging in on a new device etc.

Shame Vanilla doesn't support it.

It won't help solve this problem - this has occurred precisely because some forum members have an incredibly lax approach to their own security and they reuse passwords all over the place.

I have the file which this particular scammer is using - of the forum members I've found in there (there's a lot to go through - roughly 230 million email addresses), all of them have single-word passwords that would take seconds with a dictionary search and a hash.

Coincidentally, those are precisely the people who look at MFA and say "Nope, that's too much like hard work". Ergo, it has to be mandatory, or it's pointless for this purpose.

stickyfiddle

Is it worth an all-members emailer explaining the potential for issues and requiring a password reset? A little bit heavy handed but maybe not a bad idea? 

Mine wasn't a single word, and was about 15 characters, but I've still changed just in case.

digitalscream

stickyfiddle said:

Is it worth an all-members emailer explaining the potential for issues and requiring a password reset? A little bit heavy handed but maybe not a bad idea? 

Mine wasn't a single word, and was about 15 characters, but I've still changed just in case.

That's the nuclear option - I'll probably skip the email and put a warning message up at the top of the site in a couple of days; for now, I want to make sure everyone gets the message that PayPal F&F is a false economy.

topdog91

digitalscream said:

topdog91 said:

Great suggestion. More and more people are getting used to MFA as an essential part of a modern security posture as an inevitable consequence of the eternal race between good and evil. In fact ISTR TGP implemented it after some security scare or issue a few years ago.

It doesn't have to be mandatory, but users could be strongly encouraged to use it. It also doesn't have to be that annoying, only necessary when logging in on a new device etc.

Shame Vanilla doesn't support it.

It won't help solve this problem - this has occurred precisely because some forum members have an incredibly lax approach to their own security and they reuse passwords all over the place.

I have the file which this particular scammer is using - of the forum members I've found in there (there's a lot to go through - roughly 230 million email addresses), all of them have single-word passwords that would take seconds with a dictionary search and a hash.

Coincidentally, those are precisely the people who look at MFA and say "Nope, that's too much like hard work". Ergo, it has to be mandatory, or it's pointless for this purpose.

Preface: I'm not looking for an argument and in writing things may come across colder so first to say thanks for all you do, I'm sure this has been stress nobody needs.

I wasn't only looking through the prism of this attack. MFA is generally considered a Good Thing to verify that users are who they claim to be, and a useful part of an overall security posture. No need to bat it away because it doesn't work when it's switched off.

If there isn't an option, I don't think users can be blamed for not taking it and perhaps more than you think would; as I said earlier it's becoming part of the mainstream. Even my mum deals with it (she's 86, bless).

topdog91

stickyfiddle said:

Is it worth an all-members emailer explaining the potential for issues and requiring a password reset? A little bit heavy handed but maybe not a bad idea? 

Mine wasn't a single word, and was about 15 characters, but I've still changed just in case.

I like this if handled in the right way i.e. not spreading panic. I would first make sure that we enforce strong passwords so users don't change their passwords to "newpassword".

Not sure if there's a way to only target users with relatively insecure passwords as I assume they aren't stored in the database in cleartext and the hashing is hard to break.

Maybe emailing users who haven't been active for a long time e.g. over a year on the (possibly mistaken) basis that these accounts are more vulnerable than accounts of frequent users.

I'm thinking that users become more aware over time so it's more likely that User X had "password" as their password years ago but now is more enlightened.

digitalscream

topdog91 said:

digitalscream said:

topdog91 said:

Great suggestion. More and more people are getting used to MFA as an essential part of a modern security posture as an inevitable consequence of the eternal race between good and evil. In fact ISTR TGP implemented it after some security scare or issue a few years ago.

It doesn't have to be mandatory, but users could be strongly encouraged to use it. It also doesn't have to be that annoying, only necessary when logging in on a new device etc.

Shame Vanilla doesn't support it.

It won't help solve this problem - this has occurred precisely because some forum members have an incredibly lax approach to their own security and they reuse passwords all over the place.

I have the file which this particular scammer is using - of the forum members I've found in there (there's a lot to go through - roughly 230 million email addresses), all of them have single-word passwords that would take seconds with a dictionary search and a hash.

Coincidentally, those are precisely the people who look at MFA and say "Nope, that's too much like hard work". Ergo, it has to be mandatory, or it's pointless for this purpose.

Preface: I'm not looking for an argument and in writing things may come across colder so first to say thanks for all you do, I'm sure this has been stress nobody needs.

I wasn't only looking through the prism of this attack. MFA is generally considered a Good Thing to verify that users are who they claim to be, and a useful part of an overall security posture. No need to bat it away because it doesn't work when it's switched off.

If there isn't an option, I don't think users can be blamed for not taking it and perhaps more than you think would; as I said earlier it's becoming part of the mainstream. Even my mum deals with it (she's 86, bless).

That's all fair comment - however, MFA is a long way off on forums like this one (particularly since we don't have the funds to take the easy route of SMS backup, and email doesn't work because so many email services mark forum traffic as spam). TGP can do it because they have orders of magnitude more in terms of both traffic and budget than we do, so they've got room to take a hit if necessary

With that said, that's all strategic thinking; right now, I'm staying well away from that because of the immediate concerns...which are strictly in the realms of "How much can we sacrifice to prevent further accounts being compromised under this attack (or similar)?".

FenderBender

To @AdminTeam , first thank you for shutting down potential scammers, and for raising more awareness with the most recent thread 'Recent Scams'

https://thefretboard.co.uk/discussion/259362/recent-scams#latest

Apologies in advance for the following word vomit. I'm sure I'll be called out for mistakes in the following, but some observations as a potential scam victim:

**Re-title of potential scam thread, or addition to first post**
These 3 sale threads (2 sellers) have all been closed/banned by yourselves for potential scams. But the thread title still says 'sold', which is false if anyone was searching the forum. Can the title be appended with 'potential scam investigation' or something to make it obvious.
And/or can the first post in the sale thread have some verbiage _added_ so that if anyone opens it, the first thing they see is a message that this sale is being investigated, or has been confirmed a scam. This just helps with awareness in the future.

https://thefretboard.co.uk/discussion/259173/duesenberg-starplayer-mike-campbell-sold#latest

https://thefretboard.co.uk/discussion/259189/1989-gibson-les-paul-standard-candy-apple-red-sold#latest

https://thefretboard.co.uk/discussion/259255/fender-deluxe-roadhouse-stratocaster-sold#latest

**Put 'Recent Scams' thread at top**

There are a few other scams warning threads pinned, but can the most recent one be pinned at the very top. As it is short and does not allow any more posting, its much easier for someone to comprehend and not get confused by the other threads.

**Anything bigger going on?**

The above potential scams all happened within days of each other. And from reading some users comments, some things seem similar. Is this a coincidence, is it the same person with multiple hacked accounts, or is there some wider hack somewhere we should be aware of?

**Scam tactics information**

I am aware you don't want to make known your findings to prevent other scammers using the tactics, but at the same time it leaves us forumites in the dark as to what happened and how it happened, so that we can be more vigilant in the future. I don't know if there is better balance we can find.

**Learn by seeing past scam threads**

The best way to learn what to look out for, is from other scam threads. Reading the 'Recent Scams' thread is great, but we are human, and reading other ppls BAD experience has more of an impact. Maybe a single thread at the top with links to threads either being investigated, or confirmed a scam, so that we can all learn what to look out for. The potential victims put in good info on their dealings in those threads.

**Speaking up publicly**

I spoke up about a 'potential' scam in the sellers sale thread. Within 23 minutes, other ppl spoke up and the account was banned. I do NOT want to disparage anyone, but if I had not said anything, how many other ppl might have been affected?

I fear other ppl did not want to speak out before as they felt guilty about saying something if they were wrong, and we have all been trained not to mess with someone's 'for sale' thread.

If we allow this because we don't want to offend one person, then innocent ppl could suffer.

How do we balance forumites speaking up about these potential things publicly to safeguard all, while not destroying someone's reputation if we are wrong?

**One scam user group for notifications**

It has been stated to get into contact with yourselves if we feel there is a scam. But it does not clearly say 'how'. Maybe add something to 'Recent Scams' and clearly inform users what do to, maybe create a 'ScamInfo' group so we can tag it with @ScamInfo so its easy for us to use, and easy for you to filter?

**Addressing Users Bias**

I have used Paypal F&F for years with no issues. But if it was not for Paypal denying my payment, I would have been a victim. I know that is on me and my fault. For some reason, the idea that one is getting the best deal ever over other people and you don't want to miss out plays heavily on our minds, that its worked for years so it must be fine now, and we do stupid things. Maybe another way to drive that point home even more.

If you made it this far...sorry. But thank you

digitalscream

FenderBender said:

**Speaking up publicly**

I spoke up about a 'potential' scam in the sellers sale thread. Within 23 minutes, other ppl spoke up and the account was banned. I do NOT want to disparage anyone, but if I had not said anything, how many other ppl might have been affected?

I fear other ppl did not want to speak out before as they felt guilty about saying something if they were wrong, and we have all been trained not to mess with someone's 'for sale' thread.

If we allow this because we don't want to offend one person, then innocent ppl could suffer.

How do we balance forumites speaking up about these potential things publicly to safeguard all, while not destroying someone's reputation if we are wrong?

I've got some ideas on the rest of it, but for this one...the solution is to flag the posts if you have any suspicions. Contrary to what some believe, we read, consider and act upon every single flag report.

This is also the most effective way to deal with it, because it guarantees that the message goes to the whole modmin team; sending a PM to one of us relies on that person being available.

However, if it's a non-urgent issue or something you think needs a bit of discussion, a PM will do fine.

glitterjet

FenderBender said:

**Learn by seeing past scam threads**

The best way to learn what to look out for, is from other scam threads. Reading the 'Recent Scams' thread is great, but we are human, and reading other ppls BAD experience has more of an impact. Maybe a single thread at the top with links to threads either being investigated, or confirmed a scam, so that we can all learn what to look out for. The potential victims put in good info on their dealings in those threads.

 Speaking as one of the people who was caught by the scammer, I think this is imo the best method to show how this can unfold.   I have been a member for 4 years through FB I have bought guitars/amps, sold bits in response to WTB ads, gave stuff for free, received stuff for free.
  I was blinded by a guitar I always wanted, the seller had been a member for 10 years, had lots of points and badges etc, answered all my questions about the guitar, asked for PPFF, I obviously thought the whole thing was genuine and not wanting to miss out I agreed.
  Yes I am still numb from the experience and hope no one else has to go through anything similar. 

JerkMoans

Fwiw I’ve used something like this before: https://www.onlinefeecalculator.com/index-UK.php

the vendor gets precisely what they requested, I pay the few % extra for peace of mind.

If handled tactfully, no one seems to mind, and if anyone does object, there’s your red flag.

I appreciate this is shutting the stable door after this particular horse has bolted, but just a spot of well-meant future advice for my Brothers and Sisters in GAS \m/