This is taken from Jellyneo.net.
- Posted by Dave
- Posted on January 8, 2009, 8:42 pm NST
Basically, some scammers are changing their petpages to show a picture of the Pant Devil with a message saying something along the lines of “The Pant Devil has stolen this page! Click here to reclaim it!” The link goes to a Desert Scratchcard, waiting to be scratched by you. The only thing is, the scammers have potentially included some malicious coding in that URL, rendering them able to steal your Neopets account password and gain access to your account.
In short, DO NOT click on any links on petpages, shops, userlookups, guilds, or Neoboards that lead to a scratchcard. One, you should not be viewing them in that fashion, and two, your account may be stolen! Also be warned that not all links will necessarily include the Pant Devil set up mentioned above. Just be wary of clicking any “long links” for now. 😉
If You Clicked: If you clicked a scratchcard link, change your password immediately. You must change it right now. Also, apply a PIN Number to all areas where you have significant NP invested. Even if you didn’t click the link, this is a great precaution. You can only be affected by this scam if you click the scratchcard link… so don’t!
For the techies out there, The Neopets Team has failed to secure one of the GET variables that the flash scratchcards are using. So, the scammers are able to include their own malicious flash file as a “background image” in the scratchcard that doubles as a cookie grabber. Example:
Sheer genius, really. Neopets basically has to update their scratchcard coding to include some sort of validation to make sure any flash files being included are strictly from the images.neopets.com or swf.neopets.com servers. Hopefully this does not call for an extended downtime of scratchcards like last time!