|
|
|
|
|
|
Posted: Sat Jul 31, 2010 4:36 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
♫Protecting Your Account♫ Defense Against Scammers and Hackers
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
♪Introduction♪
Many users on Gaia are familiar with the warnings and reminders posted all over the site informing the members that the moderators and staff will never ask you for your password. These are posted for good reason, as there are many unsavory sorts out there who will POSE as moderators that WILL ask you for your password. This guide will cover the most common sorts of scams, how to protect yourself, and what to do if you have been the victim of a scam or if you have been hacked.
♦ ♣ ♥ ♠
♪Updates♪
July 31st, 2010; Guide Created
♦ ♣ ♥ ♠
♪Table of Contents♪
1. Introduction (You Are Here!) 2. Passwords. Why You Need A Good One. 3. Scamming 4. Giftboxes 5. Phishing / Popups 6. Cookie Grabbers and Keyloggers 7. Moderator Impersonation 8. What To do If You Are A Victim 9. Ban Prevention 10. Examples
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 31, 2010 4:38 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
♪Passwords♪
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
♪Why You Need A Good One♪
Passwords are the first line of defense for your account, the strongest, and unfortunately also the easiest to break if you're not careful and if you don't use something strong enough.
When signing up, you likely noticed Gaia encouraging you to play with 'sTRangE caPITaLIzatIOns' and use of numbers or symbols and words that are completely irrelevant to you. This will make your password stronger and near impossible to guess- I'll discuss why here in a bit.
A strong password may seem irritating at first. Why enter 123456 when entering 123 is so much easier? A few extra keystrokes only take up a few more seconds of your time. A few seconds of time isn't much of a price to pay to protect all of your items, so it's definitely worth the time investment.
Choose words that you can easily remember- words that you like the sound of, obscure movie or book references but never something as obvious as a pet's name, a characters name or a book or movie title. Make it tricky. Use combination of words, use strings of numbers that only you will know. Don't use 123- mix it up and make it longer.
Have you studied a foreign language? Use some foreign words. Spell words backwards. Use anagrams. Just make it complicated for anyone and everyone but yourself.
♦ ♣ ♥ ♠
♪Social Engineering♪
You may never receive a fake moderator private message. You may never get a link to a fake login page, and yet, it's still possible for users to break into your account if you don't have a strong password. How?
Social Engineering, by definition, is one person tricking another into revealing a weakness or point of entry through security. In this case, it would be the password to your account. On Gaia, this is done by learning about you. What do you like? What movies do you like, what books do you read, where did you grow up, etc etc.
As someone learns from you (either by reading posts you make in the forums, on your profile, etc) or by interacting with you directly, they can begin to input that information as a password crack attempt.
For example;
User1 is spending hours per day discussing Lady Gaga. A would-be hacker picks up on this and starts entering variants of this, such as Lady Gaga song titles, as a password for User1. After some work, the hacker goes back to User1's profile and finds their birthday and starts using song titles + the users birthday. Eventually, this is successful. The hacker changes the password and locks User1 out of his account.
This method takes time, but is successful with persistence in the presence of weak passwords.
♦ ♣ ♥ ♠
♪Brute Forcing♪
Similar to Brute Forcing with a puzzle; a would-be hacker simply tries any and all words that come to mind to try and get into the account in question.
This is understandably less effective, though if you're only using one or two common words with no numbers or additional protections, you still put yourself at risk for this sort of attack.
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 31, 2010 5:30 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠♪Scamming♪♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠♪Being Directly Cheated♪If you're offering any sort of service or selling in the marketplace, you're perpetually at risk of a direct 'I'm simply not going to pay you' scam. While this sort of attack doesn't involve anyone actually getting into your account, it does cheat you out of something that would otherwise be yours and there are some ways to protect yourself. ♦ ♣ ♥ ♠♪Scenario♪If you're vending in the exchange forum, running any sort of minishop that involves you creating something custom for a customer, or offering a service in exchange for gold and items, there is a risk of not getting paid for your efforts. If you're the buyer, you in turn run the risk of paying up front and your custom service or work not being delivered. How can you protect against this? I'll cover a bit of what to look for in shops and exchangers in this section. ♦ ♣ ♥ ♠♪Be Wary♪To The Seller; Is this person offering to send you a promised item via giftbox? Do they want you to send an item to them via giftbox while they send an 'equal value' trade item back to you via giftbox instead of using the trade system? Is this person demanding a 100% finished, unmarked product before they'll start a trade with you? Does this person have questionable comments on their profile indicating that others have had problems with them in the past? What was your first instinct? Does this person seem trustworthy? To the Buyer; Is the seller of a custom work or service demanding 100% payment in full before they'll start on their work? Is there any talk of using giftboxes instead of the trade system? Does this person have a well established thread to sell their services or was it just recently established, or are they offering their services only to a limited amount of people who follow their very strict rules? Do you believe this person is trustworthy? ♦ ♣ ♥ ♠♪Protect Yourself♪With any exchange situation, be it with items or art / services, never do any form of business with the gift system. The gift system was implemented to send gifts, not to make exchanges. Make sure you can see what you are getting, otherwise you will likely be getting a piece of clothing from a starter set worth less than 5g. The fairest way to settle any exchange for custom works or services is to start the trade at the beginning of the deal, leave it open during the course of work, and then complete it once the work is finished. In the case of a service, complete once the service is done. In the case of artwork, a watermarked or stamped image is usually sent to the buyer to indicate that the piece is finished and then upon completion of the trade the watermark or stamp is removed. This is an easy way to ensure that the gold / items promised are indeed present at the time of the deal as well as when the deal is ready to be closed which reduces the risk of being scammed by someone looking to get something for nothing. And again, if selling an item and someone suggests trading items through the gift system, always say 'NO' and demand that the trade system be used. ♦ ♣ ♥ ♠♪Look Alikes♪When trading, ALWAYS hover your mouse over EVERY item in the trade to check the name of it and ALWAYS double check the amount of any gold being sent your way. There are many items that look similar (historically infamous on Gaia; the Winter Rose vs the White Lily Wristlet Corsage) that could see you instantly scammed out of a large sum of gold. Be aware of what you're trading for; a few extra moments of caution NOW could save you several weeks or months of hassle later. ♦ ♣ ♥ ♠♪Borrowing♪Lending items to people you know and trust deeply is alright sometimes, but there's always the risk that you'll never see the item again. If you choose to lend an item out, make sure you're protected by either getting collateral (items of equal or greater value in exchange) or that you are VERY sure you can trust the person you're making the loan to. This is not a situation you want to trust.♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 31, 2010 5:48 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠♪Giftboxes♪♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠♪Trouble Ahead♪Whenever someone asks for an exchange in the GIFT system, red flags should start waving. You can't verify what you're getting in exchange, can't see that the person is sending the item that they promised, and you risk losing something of greater value than what you'll receive. ♦ ♣ ♥ ♠♪Just Say No♪If the person persists, you have two options. You can put them on your ignore list and be done with it or ask them to stop contacting you, or demand that if they want your item or service so badly that they offer a proper TRADE for it. If the person has any credibility at all, they will offer the trade so that you can see what you're getting. As always, make sure to hover your mouse over everything in the trade to check the name and ensure that you're not getting a look-alike item. ♦ ♣ ♥ ♠♪They Say Their Trades Are Down♪If their trades are disabled, long story short, they've been doing something wrong already now haven't they? Moderators don't disable trading passes just for kicks- they disable passes of those who are abusing the system in some way. If their trades are down as part of a glitch, advise them that you will wait until the glitch is fixed to do any business with them. ♦ ♣ ♥ ♠♪Don't Do It. Ever.♪Never conduct business with giftboxes. ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 31, 2010 6:08 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠♪Phishing and Popups♪♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠♪Accidental Input♪The idea behind both of these attacks is to get you to input your information unknowingly into a location that will then send it to a would-be hacker who will then break into your account. I'll discuss each of these in more detail below, as each of them is a bit different. ♦ ♣ ♥ ♠♪Phishing♪A phishing attack will be one that will direct you to a site that will tell you to input your Gaia credentials. This will either be a website promising something in exchange (a gold or item reward, participation in a beta program, or something of this nature) or it may look exactly like Gaia online. What is your defense against this? If it doesn't look like Gaia, never input your information. Ever. Regardless of what is being promised. Gaia will never link you offsite for any reason with promise of any rewards. Gaia delivers all of its special reward promotions on site. If it looks like Gaia and you've just followed a strange link, check the URL. Chances are you're not on Gaia anymore. Don't enter your information here. Close the window, and leave the page. In either case, report the link and the user that provided it to you immediately. If you accidentally enter your information on any of these pages, change your password immediately. ♦ ♣ ♥ ♠♪Popups♪Popups are annoying little boxes that will spawn and ask you to login. They're in no way linked to Gaia and are, in fact, scammers trying to get your information. Most popups will look like this (The URL to the scammers servers has been omitted) though exact appearance will depend on your computer. I have here two different examples; the first was provided by a friend, the second was taken myself. These can be inserted into the forums, into profiles, or anywhere a post can be left. They're easy to evade- just close them out and no harm will come to you. If you enter your information into one of these boxes in error, immediately change your password. ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 31, 2010 6:18 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠♪Cookie Grabbers And Keyloggers♪♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠♪Invading Your Privacy♪Some would-be hackers will link you directly to pages that will attack your computer with malicious programs. The best defenses against these sorts of attacks are good anti-virus and anti-spyware programs, or simply knowing which links are trustworthy and which ones are not. The redirection warning when leaving Gaia (you should keep this enabled at all times; just because a user says they're linking you to their arena entry doesn't mean that they are) will show the URL that you are about to exit to. If it is a website that you're not familiar with or have never heard of or if the URL looks strange, you should probably not visit it. Visiting a malicious site can infect your computer with programs that will invade your recent cookies (thereby retrieving your password) and send the information back to it's host, or infect your computer with a keylogger that will record your keystrokes. If not immediately jeopardizing to your Gaia account, following malicious links can be detrimental to your computer by allowing malware, spyware, scareware, or other unpleasant programs onto your system. Links can appear anywhere.Don't click them. The link in the above image was inserted into a jigsaw game via a scriptor, and promises a prize if clicked. This screenshot is quite old, and most issues that allow scriptors to access games in this manner have since been fixed. I chose this one to post as an example not to jump on something that looks too good to be true ;3 If looks too good to be true, it usually is. ♦ ♣ ♥ ♠♪Think Before You Click♪The safest option is, of course, to simply not follow any external links on Gaia. Plenty of trustworthy users post links but if you want to ensure the safety of your account, you are under no obligation to click them. If it's not from a person you know well, or there's promise of any sort of material gain on Gaia, you're probably best ignoring it and moving on. ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 31, 2010 6:33 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
♪Moderator Impersonation♪
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
♪How To Spot A Fake♪
It's pretty easy, just remember these tips.
A moderator will never ask you for your password.
A moderator will never contact you if your account is under investigation. They'll just investigate it.
A moderator will never contact you if you've won something special. They'll just give it to you.
Moderators have colored usernames- Administrators are orange, Moderators of all levels are green, Forum Assistants are pink, and Artists and Developers are brown.
Moderators will have titles under their usernames to identify themselves.
If they don't meet the above criteria, they're not a moderator.
♦ ♣ ♥ ♠
♪But This PM Looks Really Official!♪
It doesn't matter. Hackers will go to great lengths to make their message look legitimate, some more than others, because they want you to believe it. If you don't believe it, they don't get your password.
Don't respond to anything they send you- report the PM immediately.
♦ ♣ ♥ ♠
♪But Their Username Looks Official!♪
If it's not colored, and they have no title, they're not a moderator. I could have named myself 'OmniMod' and it doesn't make me one ;3 Names are irrelevant. Ignore them.
Look at the color of the username and look for a title.
♦ ♣ ♥ ♠
♪The Message Says I've Been Reported!♪
Nonsense. It's a scare tactic and nothing more. As said above, a moderator will never tell you if you're being investigated. They'll just do it. They don't need your password to look at your account.
No need to fret; just report the PM, close it out, breathe, and go about your business.
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 31, 2010 6:43 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠♪What To Do If You Are A Victim♪♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠♪Aftermath♪First of all, breathe. Finding that you can no longer log in or logging in to find your possessions gone is a shocking experience, but there are steps that you need to take quickly in order to have any chance of getting your items back. ♦ ♣ ♥ ♠♪Submit A Report♪Submit A Report at the bottom of this page- there are links to submit reports for hackings and scammings. It is important that you use the correct report so that your information can be correctly processed. Submit only one report, do not abuse the forms. Fill out all of the information completely and accurately and then submit the information. This must be done within thirty days of the incident. ♦ ♣ ♥ ♠♪I Can't Log In!♪If you can't log in, attempt to reset your password. If the hacker has managed to change your password, submit the hacking report with a mule account. ♦ ♣ ♥ ♠♪Now What?♪After submitting the report, unfortunately all you can do is wait and hope. Not all accounts can be restored, even with proper steps taken afterward. This is why it is imperative to protect yourself ahead of time. ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 31, 2010 6:53 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠♪Ban Prevention♪♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠♪Why Is This Here, Daypaw?♪Anyone who hasn't actually read the ToS may not know some of the smaller details relating to conduct that could potentially get you into trouble on Gaia, so I'll cover a few of them here. You may see them pop up in your PM inbox or on your profile and think 'This looks like a good idea' when in reality you are about to get yourself into trouble. ♦ ♣ ♥ ♠♪Chain Letters♪These will come either through PM's or profile comments and will usually be long strings of 'Post this on x amount of profiles to get x amount of gold, it really works I'm rich' repeated over and over to stretch your profile page. These are directly forbidden by the ToS and will get you into major trouble. If you see these, you should report them. Don't spread them around or you'll find yourself getting into trouble. That aside, posting the messages doesn't make you rich. You get nothing more than normal posting rewards. This is not OK.♦ ♣ ♥ ♠♪14/28g Posts♪Essentially the same thing as a chain letter; 'Post this for x gold' in the forums. This is forbidden also as it is considered a scam. ♦ ♣ ♥ ♠♪Adult Content♪Gaia is a PG-13 site. Any exchange of adult content (images, video, or cybering) will be reported. Gaia is fairly liberal when it comes to swearing and other general freedoms, however, for YOUR safety and the safety of everyone else in the community, any sexually oriented actions between users should be reported. Remember- you can't see the person you're chatting with beyond their avatar. Just because they say they're fifteen doesn't mean they're not in their late thirties or older. ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 31, 2010 6:57 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠♪Examples♪Here are some examples for you of PM's that I personally have received over the years- the good, the bad, and the ugly. I'll break them all down for you as we go. Some of these have been unedited so that you can see the usernames used (some of the 'official looking' usernames that are not colored or titled) so you will know what to expect. Clicking these links will take you to images in my photobucket account. They are safe to click. ♦ ♣ ♥ ♠♪Offsite Links♪Battle System BetaThis one requires a brief history; this was sent to me back in 2006, when the 'Battle System' was still just a promise that many users were impatient for. Gaia released the Mythrill armor MC in the month that this PM was sent after having released the Ancient Katana not too many months before; so this user sent a PM containing a link to a non-Gaia website that would request login information under the premise that it was the battle system beta. These are the sorts of links you should never ever ever be clicking :3 ♦ ♣ ♥ ♠♪Moderator Impersonation♪All of these come from users impersonating moderators asking for my password. This is probably the most common means by which passwords are obtained. If you don't know any better, you open the PM and believe that you're about to be banned or that you'll receive some kind of amazing reward. I've received literally hundreds of these things and I'm still here, so I can personally assure you that you're perfectly safe. Luckily, I kept some of the gems that I can share with you. We`ll start with something easy.Not too much explanation is needed for this one; there wasn't much effort put into it. No official username, even. Just a halfhearted attempt. Not quite.Gaia was founded in 2003 so this is junked right away. The rest is more of the same; only instead of a scare tactic, they're offering gold and items in exchange for the password. A little better.Note that the username is "Admlnstrator." That makes it look slightly more legit, at a glance, if you didn't know that mods have colored usernames. The real Administrator has a totally unique hairstyle and outfit and an orange username. The images are no longer in this PM- they used to be Gaia banners. Note that they tried to make it look more realistic by including a note about not submitting reports about swearing or attitude. She also tries to explain that she wouldn't normally ask for this information, but that she needs it now. This is nonsense. Moderators don't need your password to do anything to your account. A different tacticThis would-be hacker is promising gold after clearing the 'report' against my account. Otherwise, the tactic is still the same. 'You've been reported, comply comply comply or be banned.' Again, attempting to use a convincing username that is (not surprisingly) not consistent with that which can be used to identify moderators. By the way, there is no clause in the ToS that promises gold for wrongfully accused accounts. Most 'wrongly accused accounts' never know that they're under investigation because the mods don't make a show of telling you. One that shows some effort.Not only is there an 'official looking' username, but the avatar is blank. A lot of users have never seen a blank avatar and don't know that it used to be possible to glitch ones self into such a state fairly easily. There's a banner, and he even put the Admin in the message with an orange name. Notice that it wasn't actually the Admin that sent the message, which is proof enough that this message is bogus. So, to conclude, no matter how elaborate or legit it seems, it's not. Never give anyone your password. ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 31, 2010 6:59 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
♪Reserved♪
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 31, 2010 7:00 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
♪Reserved♪
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 31, 2010 7:01 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
♪Reserved♪
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 31, 2010 7:02 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
♪Reserved♪
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 31, 2010 7:02 pm
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
♪Reserved♪
♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠ ♦ ♣ ♥ ♠
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|