New Scam?

rhiggie

UU VIP
UU VIP
Joined
Jan 30, 2013
Messages
1,081
Reaction score
2,218
Location
Durham, NC
It appears there's either a way to hack members in good standing and list ukes for sale including pictures with dated/named notes, or "sleeper" hackers hang around long enough to get some credibility and then list some ukes. This possibly happen recently to member Tom51251. And crazy as it sounds, and making it harder to sniff out these scammers, another member said they had done business with Tom and it was great. It leads me to believe at some point Tom51251 was a decent member and fell on hard times, or he was hacked, and the hacker was bold enough to list photos with UU selling note included.

Is the moral of the story, to only use protected payment methods? And that makes me wonder how easy it is to get Paypal to protect the buyer that's been scammed? Is it like shipping insurance that makes the seller jump through hoops they can't typically jump through. like show photos of the item as it was packaged, show photos of package BEFORE it was opened, show receipt to prove item value (if it sounds like I've had to deal with an insurance claim before you are right).

I mean what we have going for us here is building relationships that help build trust. If a scammer can easily hack us and assume those relationships, then we don't even have that.
 
I think that this just teaches us to be more self aware. If a member is constantly posting and interacting on the forum, it is highly unlikely that they will be scamming us. It's the accounts that haven't been used in awhile, or new ones that might be up to no good, or have been compromised. (Due to this, I like the protections the mods have put into place regarding new accounts making listings by posting a little, or purchasing VIP, it definitely deters scammers from the second category I listed.)
 
Last edited:
Remember, the best defense against a bad guy with a uke is a good guy with a uke. As I recall the latest hack involving a fake "Tom51251" was thwarted by the quick response of some "good guys" in the forum.
Thank you all for your diligence.
 
If you click on your avatar in the upper right, you can click on “password and security” and you can enable 2 factor authentication on your account. Then nobody can hack anybody. You can set it up so a code is sent to your email.

E206A465-B13D-4D42-9229-A26D7E29AC6A.png
 
Last edited:
Imagine how I felt chiming in with my support for what turned out to be a hack! Unbelievable. I did my best to alert the mods when it became apparent that the account was compromised.

I also immediately added two-factor to my own account after I had been dragging my feet about it!
 
Imagine how I felt chiming in with my support for what turned out to be a hack! Unbelievable. I did my best to alert the mods when it became apparent that the account was compromised.

I also immediately added two-factor to my own account after I had been dragging my feet about it!
I will do that as well.
 
Don’t ever use Venmo for a purchase online, or Zelle, or Paypal family & friends, unless you are 100% sure about the seller. I recently fell victim and because I had used Paypal Goods & Services and a Paypal credit card - my money was refunded.

I did the two-factor on my account. Everyone should do this too.
 
This is a long conversation, which you know I'm always up for :ROFLMAO: but I'm currently under the hood making some changes to our back-end security. I'll be back with the longer conversation at that time, hopefully later today.

The short version for now is that 2FA is fast, easy, and only requires addressing once a month, at least if you're using an app for verification, which I am. I'm using Google Authenticator for UU, but I've also used a bunch of others for other sites, and they work about the same, and they're all super easy. This is absolutely the best way to secure your account, though, no doubt about it.

Two quick notes about this that I'll add for now, and elaborate on later:

  • If you've ever sold anything in the Marketplace, you NEED to enable 2FA. That's where the vulnerability is occurring -- bad guys are finding previous sellers with weak passwords and stealing their identities.

  • I had thought at first that it was ONLY old accounts being hacked, but Tom had logged in just a week or two ago. The scam happened THAT fast. There are many sites that REQUIRE two factor authentication, and I'd rather not go there just yet....but if my new security initiatives don't work, we know that this very much does.

To enable it, go to the Password and Security section of your profile at this link: https://forum.ukuleleunderground.com/account/security You'll see the settings there to turn on Two Factor Authentication.

Below that, you'll see a place to enter a new password. You'll note that there are some new requirements there, from a security update I added after the last hack -- 8 characters, upper and lower case letters. I tried not to be too annoying about it (numbers, special characters, etc), but when in doubt, add 'em! And again, for maximum security, please use two factor authentication, rather than a stronger password alone.

I'm going to add a note to NOT include the words password, ukulele, underground, or anything with your account name as part of your password, but that's just good hygiene everywhere on the web, not at all specific to UU. Don't use your name, anything about the name of the site, or anything that includes the word password, ANYWHERE. :)

Anyway, if you scroll down on the security, you'll also see all the places you're currently logged in. Please take a quick look. The descriptions are a little cryptic, but if any of them doesn't look right to you, click the "Log out" button just to be on the safe side. Logging back in is easy enough. :)

There's a lot more to say, but I'd like to finish setting up the new stuff first. I'll circle back with the details of what happened, how to make things safter on YOUR end, and what I've done on OUR end to tighten things up.

But the word is clearly out that our Marketplace is vulnerable, so please, if you've ever sold an instrument, turn on 2FA NOW.

More to come as quickly as I can.

Mahalo,
Tim
 
The short version for now is that 2FA is fast, easy, and only requires addressing once a month,

To enable it, go to the Password and Security section of your profile at this link: https://forum.ukuleleunderground.com/account/security You'll see the settings there to turn on Two Factor Authentication.


Mahalo,
Tim
Thanks Tim... for the detail AND the gentle "nudge." I've updated/changed/complicated to a new password and turned on 2-Factor.

As you're working on this, please consider another 'verification' source option... text messages for the code. I'd gladly include a text message phone number and including it can be a further verification of a person's "existence." Obviously as an option -for those not wanting to include in their profile, but a preference for me.

Stu
 
Last edited:
I think that this just teaches us to be more self aware. If a member is constantly posting and interacting on the forum, it is highly unlikely that they will be scamming us. It's the accounts that haven't been used in awhile, or new ones that might be up to no good, or have been compromised. (Due to this, I like the protections the mods have put into place regarding new accounts making listings by posting a little, or purchasing VIP, it definitely deters scammers from the second category I listed.)
As long as there are hackable accounts we will have this problem. A scammer will have little issue with paying $5 in order to steal $1500; otoh, forcing a scammer to pay $45 for vip makes the scammer think a bit harder for softer targets.

If you see a buyer or seller using an old account with a reputation of 12 for example, review their post history and content. You're on the world wide web. There are a lot of people out there that want what you have. Be proactive and protect your assests. Admin can't do it all.
 
Google authenticator is a good one to use for 2FA, especially if you use it on other sites, its a very easy setup.

I STRONGLY suggest Google Authenticator, or really any app, and NOT using email for 2FA. As Pete notes with Microsoft Authenticator, they're all good, and they all work dandily. He's using Microsoft, I have three sites that I use Google Authenticator for (including our server host), and I also use Authy for another site. All of these work on both Android and iOS, super simple, and genuinely secure. Really, truly, use whichever app you like!

There's nothing wrong with email, but we have no way of knowing if you change your email account. An authenticator app doesn't know or care about your email account. In fact, you're perfectly fine continuing to use an email account that doesn't even exist anymore as your identifier to get in the site. The security is provided by the app, which changes the passcode every 20-30 seconds. Email is easy enough to hack, but NOBODY (in practice) is going to both hack your email AND your phone (which presumably also has some kind of security on it).

I know that email SEEMS easier, because there's nothing to remember, but I swear, the app is FASTER than email, and again note, you only need to authenticate ONCE A MONTH.

I'll be writing up a tutorial for the apps, because really truly, that's the better way to go.

is there any issue with staying “permanently” signed in to the site on my PC and iPad? Does this affect security?

It's security neutral. Somebody can hack your account while you're logged in, unless you have 2FA. If you have 2FA, you'll be notified that somebody is trying to get in.

In which case, notify us. :) We'll go block the IP that's probing your defenses.

There's the other issue, which we can't do anything about: these guys are using VPNs, so I'm playing whack-a-mole to block the IP addresses each time, but they just grab another. That's life, and that's also why 2FA is the only real security.


If a member is constantly posting and interacting on the forum, it is highly unlikely that they will be scamming us. It's the accounts that haven't been used in awhile, or new ones that might be up to no good, or have been compromised.

The thing is, you can't know that an account has been compromised until they tip their hand. The most recent scammer hacked an active account that had made a legit sale in late December! Nobody knew it was a scam until the scammer got profane, at which point somebody who knew the proper account holder and knew that this language and attitude was completely out of character, contacted both us and him to doublecheck. He confirmed that he was not the one behind that sale, and we proceeded accordingly...

...but the issue is that his account was accessible through whatever means (and I don't have any way of knowing the specifics -- a lucky guess? some sort of automated process?), and the account of an active, known seller looks like the account of an active, known seller, because it is!

So there are two basic steps to closing this vulnerability:

  • Strong passwords + 2FA

  • Assume that if the deal is unusually good that it's a scam, and report it.

Because that's the other thing. These accounts were breached and the "sales" made within a matter of hours. Sellers have a responsibility to secure their identities (we're working on it!), and buyers have a responsibility to verify that the sellers are who they claim to be. You can't use their account history to do that! The identity of that account has been stolen!

So drag it out. LOL Make them talk to you. Text messages and emails are not good enough, unless you have some way of making SURE that the person on the other end of the line is who they claim to be. If they lose their temper when you're asking for transparency, report them. They're up to no good.

Jeez louise, I wish I didn't have to encourage people to think like this, but we've been identified as a site where the passwords are soft and the buyers will move quickly. I'm going to work on getting people to harden their passwords, require 2FA for sellers -- because, again, these are the ONLY accounts being hacked -- but buyers have their roles to play too! Drag these exchanges out.

Please note that I'm not blaming anyone but the scammers. Nobody can prevent EVERY scam. After all, Facebook, PayPal, the Pentagon, et al have more security resources than we do, and they get burned by scammers too. But we don't have to do much to make this an unappealing target for them, just a little bit, so let's do that, and we can go back to enjoying each other's company and playing our ukuleles. :)


Still working a few things on the back end, but I'll be back soon!
 
Last edited:
If you click on your avatar in the upper right, you can click on “password and security” and you can enable 2 factor authentication on your account. Then nobody can hack anybody. You can set it up so a code is sent to your email.

View attachment 164122
None of these options seem to be the typical "code sent via text, or confirmation link sent by text". Which of these options can do that?
 
purchasing VIP, it definitely deters scammers from the second category I listed.

Yes, we're 100% on the people who add VIP accounts to start selling being legit. They have typically quickly established themselves as legit folks with deep roots in the musical instrument community, even when they've been new to us or to ukes in general, so I'm really glad that this is working.

The point isn't to create an insurmountable barrier. $5 or even $45 is nothing to someone who's after a $1500 scam...but to make that small payment, you have to use an ACTUAL credit card with PayPal or Stripe, and even a scammer needs to be able to collect their dough from PayPal or Stripe or whomever eventually, so that's just too much of a fingerprint to leave behind. These guys are looking for EASY money, and to leave as much distance between themselves and the transaction as they possibly can. "Give our payment partner your real credit card" is asking a lot, and so far, so good!
 
It appears there's either a way to hack members in good standing and list ukes for sale including pictures with dated/named notes, or "sleeper" hackers hang around long enough to get some credibility and then list some ukes. This possibly happen recently to member Tom51251. And crazy as it sounds, and making it harder to sniff out these scammers, another member said they had done business with Tom and it was great. It leads me to believe at some point Tom51251 was a decent member and fell on hard times, or he was hacked, and the hacker was bold enough to list photos with UU selling note included.

Is the moral of the story, to only use protected payment methods? And that makes me wonder how easy it is to get Paypal to protect the buyer that's been scammed? Is it like shipping insurance that makes the seller jump through hoops they can't typically jump through. like show photos of the item as it was packaged, show photos of package BEFORE it was opened, show receipt to prove item value (if it sounds like I've had to deal with an insurance claim before you are right).

I mean what we have going for us here is building relationships that help build trust. If a scammer can easily hack us and assume those relationships, then we don't even have that.
Hi Rhiggie, I was hacked. I am grateful to pmorey for the heads up last night. My integrity is important to me, and Im so thankful to Morey, Amie, and Tim for taking care of this. As I shared with pmorey, I felt violated and exploited. In addition to that I felt that my integrity was compromised. I hope you and the community will understand my feelings. This really hurtsI However, the way admin handled the situation gives me great comfort and great confidence that the forum is in good hands.

As you so well stated. “….what we have going for us here is building relationship that help build trust….” Amen! To that! Thank you for bringing this to the forums attention.
 
Last edited:
Today's Google Doodle for "Dia de los Muertos"
View attachment 160462

(Not a chuckle, but did not want to start a thread for this)

Is the moral of the story, to only use protected payment methods?
This is a great start and a great service provided by Paypal.

That begs the question, since we are discussing scammers: Is it okay to jump through the big loophole that is F&F in order to avoiding giving PP their fees for the payment service they provide? If you are buying from someone here on the forum that you do not personally have a relationship with, are you not scamming PP by using F&F instead of G&S and having them receive the 3% fee for the service?
 
As you're working on this, please consider another 'verification' source option... text messages for the code. I'd gladly include a text message phone number and including it can be a further verification of a person's "existence."

The email and app options are built into the system, so they're good to go. We'd need to pay a developer to custom code the text option, so that's not on the horizon yet.

That said, the apps are faster than text and don't rely on your phone being connected to the mobile network. They work over wifi!

THAT said, my my my, do I have plans for text at UU! :ROFLMAO: Email is really no longer as helpful as it once was, so we're going to be adding as an option for people who prefer it to have your forum notifications sent via SMS, as well as Facebook and Whatsapp Messenger. I'm also looking into optional browser-based alerts for people who opt in, so that you can see your UU alerts even when you're not logged into UU if you want it.

When I get around to adding the forums to the "email" newsletter for the education side of the UU house, I'm also going to be offering SMS and Messenger as the subscription vehicle. (Not that the whole newsletter would be there, but an alert to go read it if you want to -- and obviously only to subscribers. All of what I'm talking about is strictly opt-in, just like we've always done, and always will.)

But here's why I do NOT recommend text as verification between buyers and sellers. Our scammer(s) -- I'm thinking that there are at least two so far, at least one of whom has hacked more than one account -- have been very fast to recommend text as the way to contact them!!! Why? Because you can spoof text super easily, including using throwaway accounts in Whatsapp, Skype, Google Voice, and a gazillion others that require NO credit cards or other rootedness in physical existence.

You don't have to MAKE the phone call or Zoom call to verify someone's existence -- although if they give you their number, why not? The real test is if they're WILLING to be flexible and transparent. If not, end the conversation.

I'm going to contrast these Goofus scammers with the oh-so-Gallant (a Highlights reference for you geezers!) @rhiggie, who doesn't do PayPal for reasons that I fully support, but who offers a BUNCH of ways to contact him, and to verify his identity, including his phone number, his work address, and the offer to play the instruments he's selling for you on Zoom, so that you can see HIM, see the actual instrument, and hear it for yourself -- including the fact that the instrument is currently in his possession.

Heck, that might be the way to smoke out a scammer FAST -- will you play the instrument for me over Zoom? Their response will tell you a LOT.

Anyway, I love text messages, and we'll be doing more with text here for the people who prefer it, but I'll never recommend it as a way to verify a seller's identity. :)

Back under the hood for me for now....
 
Top Bottom