Jump to content

PayPal Phishing Attempt

Nicolette Lefevre

By Nicolette Lefevre,
in General Discussion Forum

 Share
You are about to reply to a thread that has been inactive for 3821 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Nicolette Lefevre

Nicolette Lefevre

Posted
  • Author
Posted

Today I have received emails with PayPal phishing-attempts to several email adresses that I have ONLY used for Second Life. So far 5 email adresses (one for every Alt) have been affected.

All phishing emails tried (unsuccessfully!) to lure me to a subdomain of gff23.com to "update my PayPal information". The subdomain differs between emails. The emails have been in German, but my location can easily be deduced from the domain-name of my email ending in ".de".

I want to point out again that these email-adresses were NEVER used for anything else but SL. These emails were NEVER used for PayPal. They were only used for registering the various SL accounts.

SL: You have a serious data-leak here!

I had a similar problem about 2 years ago if I remember the timeframe correctly. Back then also only emails used for SL were affected. But back then it wasn't PayPal-phishing, just general spam-mails, in most cases for some casino or other.

Do not even try to suggest that I myself am responsible for the leak of these email-adresses. My computers are secure. I have been an IT-professional for 20+ years. I host the mail-server myself. And NONE of my other email-adresses are affected by this. Only email-adresses used for SL. And the ones affected were never used for anything but SL.

Link to comment
Share on other sites
  • Replies 153
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Nicolette Lefevre

Nicolette Lefevre

Posted
Posted

Today I have received emails with PayPal phishing-attempts to several email adresses that I have ONLY used for Second Life. So far 5 email adresses (one for every Alt) have been affected.

All phishing emails tried (unsuccessfully!) to lure me to a subdomain of gff23.com to "update my PayPal information". The subdomain differs between emails. The emails have been in German, but my location can easily be deduced from the domain-name of my email ending in ".de".

I want to point out again that these email-adresses were NEVER used for anything else but SL. These emails were NEVER used for PayPal. They were only used for registering the various SL accounts.

SL: You have a serious data-leak here!

I had a similar problem about 2 years ago if I remember the timeframe correctly. Back then also only emails used for SL were affected. But back then it wasn't PayPal-phishing, just general spam-mails, in most cases for some casino or other.

Do not even try to suggest that I myself am responsible for the leak of these email-adresses. My computers are secure. I have been an IT-professional for 20+ years. I host the mail-server myself. And NONE of my other email-adresses are affected by this. Only email-adresses used for SL. And the ones affected were never used for anything but SL.

Link to comment
Share on other sites
Freya Mokusei

Freya Mokusei

Posted
Posted

Do you use Microsoft Exchange? LDAP? Is your user directory safe? Does your mailserver respond with oracles (such as SMTP error codes) for non-existant usernames? How about for SMTP or HTTP-based login attempts? Did the attacking servers try any non-existant addresses?

I don't see any reason to suspect the issue is LL-based solely on what you've said so far.

I did see what looks like a mass-attack to German domains from a Hong Kong company this morning, using the same destination domain. Does this abuse email align with what you've seen? abuse@hknet.com

Run a security audit, take a look at the vector they used and whether any probing took place beforehand. Doesn't help anyone to jump to conclusions.

Link to comment
Share on other sites
Nicolette Lefevre

Nicolette Lefevre

Posted
  • Author
Posted

I do not use MS Exchange. I use hMailServer.

The email-adresses can't just be "guessed" by some attacker. They are all in the form of "sl_user_firstnamexxxxxx@mydomain.de" where "xxxxxx" consists of several random digits.

While the mail-server does respond with an error-message when trying to send to a non-existent email-adress, this would be of no help here to the phisher. Simply because if someone had guessed these email-adresses, then not only my SL email-adresses would be affected, but others too. And that is not the case. Only email-adresses used for SL are affected. And I have about 100 others. I use a seperate email-adress for every place where I have to give an email-adress. The chances that someone guessed several of my SL email-adresses, but NONE of the others are basically zero.

Link to comment
Share on other sites
Freya Mokusei

Freya Mokusei

Posted
Posted

Cerise Sorbet wrote:

These spam outfits just use brute force and land on working addresses by chance. The problem became so bad years ago, that mail servers had to stop supporting basic commands like EXPN and VRFY.

I know this, but thanks. :)

I was hoping the OP would check their security log to see other attempts to reach valid users in their incoming mail logs.

Link to comment
Share on other sites
Nicolette Lefevre

Nicolette Lefevre

Posted
  • Author
Posted

I'm not saying that SL is doing these phishing-attacks. They are certainly NOT doing that.

I'm saying that they should try to find out how the data leaked from them. Either from them or their payment processor.

Oh... and the 100 email adresses are useful. At least now I know where the leak came from. I can change the affected adresses, disable the old ones, and will not get any phishing/spam to them in the future. :)

Link to comment
Share on other sites
Freya Mokusei

Freya Mokusei

Posted
Posted

It's still a curious case - most of what I'm seeing traces back to a German student and a sneaky DNS that points back to the Australian PayPal handler (I've no intention of publishing specifics, it's common for phishers to fake this). It's far more likely for this to be an attack based on the destination domain than specifically because of where your accounts are used.

Maybe you have other security issues or have had your outgoing or incoming data listened to. If your SL addresses are more active than the other ~95, it'd be obvious to target the active addresses. There are of course ways for third parties to obtain your data that have nothing to do with SL - browser extensions, cookie or session exploitation and other social engineering.

I don't like dealing in hypotheticals. You're probably going to have to do some work on profiling this attack if you want any specific help. Occam's Razor is against your claims at the moment, there's absolutely no reason to assume this is some issue that LL has caused.

Link to comment
Share on other sites
Syo Emerald

Syo Emerald

Posted
Posted

Edit: I still think having 100 emailadresses is not a needed layer of protection (as it is not), because I have gone trough years of internet-use without any phising attempt and I have less than 5 different emailadresses.

But...seems like somewhere between Germany and LL is a leak. Just got an email that was obviously fake from "paypal" that I would need to log in and update my information....yeah...sure...

And I saw others on a german SL forum talking about the same issue.

Link to comment
Share on other sites
Nicolette Lefevre

Nicolette Lefevre

Posted
  • Author
Posted

If my incoming/outgoing data had been listened to, then not only SL adresses would be affected. I just checked and less than 5% of my emails are SL-related.

I have also used PayPal in connection with some of the other email-adresses. Several web-hosters for example where I pay with PayPal. None of those email-adresses are affected. So if someone were to attack all my emails that have a connection to my PayPal usage, then why aren't those affected? Why are NONE of my other email-adresses affected?

So far I see all but one of my SL-emails affected. And none of my other emails. To me the simplest possible explanation for this is that the email-adresses somehow leaked from SL.

Edit: Now ALL my SL-emails have received the phishing email. Still NONE of my other email-accounts have received it.

Link to comment
Share on other sites
Freya Mokusei

Freya Mokusei

Posted
Posted

Sorry, no. This isn't the 'simplest possible' explanation - the simplest possible explanation in this case is definitely user error. Since it sounds like you're unwilling to investigate your own systems and are more interested in projecting this fault outside your sphere of control, I think I'm done with this issue.

Why would it have anything to do with your PayPal accounts? Why would it have anything to do with LL's payment processor? You're seeing zebras where you should be looking for horses.

Paste some header information, see if they've attacked you before. Anything that lends any credibility to your assumptions.

Link to comment
Share on other sites
Freya Mokusei

Freya Mokusei

Posted
Posted

Syo Emerald wrote:

But...seems like somewhere between Germany and LL is a leak. Just got an email that was obviously fake from "paypal" that I would need to log in and update my information....yeah...sure...

And I saw others on a german SL forum talking about the same issue.

As I say the attack looks like a big one, but there's no reason to assume the faulty link lies with SL-related services. There's many things that can go wrong with Internet security and Email that have nothing to do with LL.

If every case of PayPal phishing was related to this attack, I'm sure the author would be a very busy person. Compare trace information with the OP (probably privately) to see if your attack was related or coincidental. Specifically, if your PayPal traces back to .au domains, you may be onto some commonality - because this is what I've seen when wasting my time investigating the OP's attack. PayPal itself is a BIG phishing target.

Freya oooooooooooout. *drops mic on stage*

Link to comment
Share on other sites
Nicolette Lefevre

Nicolette Lefevre

Posted
  • Author
Posted

Freya: It looks like you simply do not want to accept the facts.

1) ALL my SL-email accounts have received the phishing mail.

2) NONE of my other email-accounts have received it.

I brought up my PayPal account, because that's what's being targeted. And because if someone were somehow scanning my ingoing/outgoing email for something to do with PayPal (because that's what they are targeting), then those other email-accounts would be affected as well.

I HAVE investigated this. I checked my mailserver-logfiles. Nothing unusual there. Sure, the occasional attempt to send an email to a non-existing adress. But nothing even close to the amount necessary to guess email-adresses that look something like this: "nicolette926478474@somedomain.de"

You would need millions of attempts to guess such an email-adress. And I would have found such a large-scale attack in my mailserver-logfiles. Plus if someone were to run such a huge attack, then why didn't they stumble on one of my other email-accounts too?

I am not a noob when it comes to security. I administer webservers for more than a decade now. I take security VERY seriously.

LL's payment processor has (or at least used-to have) all the SL email-adresses that are used with PayPal or credit-card payments to LL. I consider this a low-probability though. In the past your email-adress would be listed on the checkout-page of the payment-processor. Currently this is no longer the case. And one of the affected email-adresses is relatively new. So I doubt that LL's payment processor has ever seen this one. I hadn't thought about that before. That leaves LL itself as the likely origin of the leak.

Link to comment
Share on other sites
Coermie

Coermie

Posted
Posted

Same for me. I also use an email account only for sl. Never have any outside communication with it.

 

I got the Paypal spam only on this account. I have at least 9 other mail accounts hosted with same provider. Only my Sl based account got that mail.

 

It was easy to recognize as spam. But it is strange that other accounts are not affected. Probabilty teaches that I should get it on other accounts too.

 

Maybe later. but not yet..

Link to comment
Share on other sites
Pie Serendipity

Pie Serendipity

Posted
Posted

You don't really think that a group of organisations (Remember, it's not just LL; they outsource several functions, and the home-based moderators have access to your account details on their PCs in their bedrooms or kitchens, which are probably not entirely secure . . . ) who can't even prevent frequent and regular spam attacks on their - Lithium hosted - forums have a coherent security system?

In fact, if you really want to start worrying, the recent ToS changes could even be interpreted - by idiots/marketing department staff - to mean that not just your intellectual property within the game was usable by LL and its cronies, but also any personal information you shared with them.

They are potentially runnning into serious problems of course, as Europe has laws about this sort of thing, even if the USA don't - and once LL withdrew operations from their European locations they exposed themselves to all sorts of potential litigation.

 

Link to comment
Share on other sites
Freya Mokusei

Freya Mokusei

Posted
Posted

There are no facts in your post. Just anecdotal data that doesn't help narrow anything down.

Obviously I concede that it wasn't a large-scale trial and error assault on your mailserver specifically, you've said as much by now, but there's no way for us to know this. I'm not going to reel off every one of the hundred or so things that could possibly have caused this, all I have are guesses because I haven't seen any of the associated material and I (obviously) have no experience either of your skill in this field or your mailserver.

I have to go with what I'm given, which isn't much. There's not enough here for me to do any further digging, but 5 minutes spent looking at this thread tells me it's more geographic than service-oriented. I have no idea why you're imagining this is a *leak* on LL's (or any connected services) part. Making such a bold claim is not only very likely mistaken, but it narrows the scope of investigation far too far - because you're looking for zebras.

Things I do know:-

  • Not all SL accounts were affected
  • Not all German SL accounts were affected
  • The associated domain's behaviour matches typical, mass-interest phishing behaviour.
  • The operator of the sender domain isn't particularly smart
  • Those who recieved information from this sender did not necessarily have an SL account attached to their Email

Come up with some data, connect some dots. Do anything except tell people who are trying to help that they "don't get it". Fighting each other makes no sense.

Link to comment
Share on other sites
Tari Landar

Tari Landar

Posted
Posted

Obviously I am not you, and I cannot see what you see, but I will say I wouldn't be so quick to judge LL or assume they have a leak. I've spent the better part of a couple hours speaking to family and a few other people(all overseas from me, quite a few in Germany-if that helps any, I'm not sure it does, but it might) who also received a very similar phishing attempt. NONE of those people have sl accounts. Yet they still had the same issue. Some of them are also rl business contacts of mine, and are most definitely a lot smarter than I could ever dream to be when it comes to such things.

The couple facts I do know are that it is NOT only affecting sl related accounts, but it IS affecting a lot of people, or has anyway.
I have absolutely no evidence, but I'll continue to believe the fact that your email addresses have "only been used for sl" is actually a coincidence. A crappy one, perhaps creepy too, but a coincidence nonetheless. I wouldn't think this if people who aren't connected to sl in any form, weren't also getting these same emails. They are, though. Even people in sl have had this problem with emails not connected to their sl accounts, as well as their sl accounts too.

I'm glad none of your other non-sl related accounts have been phished. But others haven't been quite so lucky. Personally I'd be glad others were trying to help me solve such a issue and not throwing a verbal hissy fit telling them they don't understand because you're smarter than they are, and you have more experience, and they can't possibly be right (yeah, that's how you read). Then again, I'm glad when people try to help me solve problems, even if the problem never gets solved. But that's just me, I'm a bit weird.

Link to comment
Share on other sites
Freya Mokusei

Freya Mokusei

Posted
Posted

Thanks for this, Tari.

Correlation is not causation.

I've seen other victims today - as I say above - who had no SL accounts yet recevied similar messages. I don't have enough to tie those to the same attack as the OP as they only posted one piece of identifying data.

My initial evidence suggests it's a play on the *.de TLD or Email addresses where the holder is located in Germany that are easily/cheaply available from data brokers. It's not exclusively German recipients, but the attack seems, to me, to be focussed in this area.

Jumping to conclusions helps no-one.

Link to comment
Share on other sites
Nicolette Lefevre

Nicolette Lefevre

Posted
  • Author
Posted

I'll try again:

I have received today's phishing-attack on 8 email-adresses. All of them are used only for SL. So only two parties should know these adresses. Me myself and LL.

If the leak were on my side, why were the email-adresses used for SL affected and NONE of the other ones? We are talking about 8 out of about 100 adresses. If the leak were on my side, then the affected email-adresses should be random picks out of the available pool. A little skewed probably depending on how much I use the various adresses. But still close to being random. And for a random pick of 8 out of 100 we are talking about a chance of 1 in 186 billion that it is just coincidence that these specific 8 were picked. And 1:186bn is about 1000 times less likely than hitting the jackpot in a lottery. That makes the other explanation, that the leak happened at LL look MUCH more likely.

As for people getting phishing-emails who are not on SL: I'm not surprised. Every phishing-attack can have multiple sources of email-adresses. And there are probably several different phishing-attacks against PayPal running at any given time.

And as for how I sound: I didn't come here to offend anyone. But I also didn't come here to be offended by someone plainly denying the evidence and saying that the fault probably was my own when the evidence clearly states otherwise.

I'm not actually blaming LL for what happened. They are big enough that they are a high-profile target for hackers. And that means sooner or later someone will get you. I posted here so that they'll know about this and can start looking for how it happened. Because that's the only way to make sure that it doesn't happen again.

Link to comment
Share on other sites
Wolfspirit Magic

Wolfspirit Magic

Posted
Posted

Today I got two german Paypal phishing mails. Both are mailadresses used for Secondlife.

The problem is that one of the mail adresses is ONLY used for Secondlife.
I've my own domain and I registered an alt account with random characters as name (catch-all, so not listed anywhere). I never entered that mailadress anywhere else then the registration form of secondlife. NEVER. The only thing I get on that mail are secondlife things and nothing else except the paypal spam today. I'm using Google Apps.

I am more sure then anything that the phishers got the mailadress from Secondlife. There is NO way that it comes from anywhere else. According to support chat only staff can see mailadresses and I personally feel like there is a big privacy issue going on here.

Link to comment
Share on other sites
You are about to reply to a thread that has been inactive for 3821 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...