PayPal Phishing Attempt

[Perrie Juran]

I'm not even going to try to attempt to decipher what may or may not have hapenned.

We do know that sometimes even some of the most secure servers in the world get hacked.

My question is have you reported this to security@lindenlab.com ?

With the necesary details for them to investigate.

Otherwise coming here and raising hell about it is kind of fruitless.

And for the record, because they are a registered Money Exchange Service, LL is required by law to have security protocols in place to protect your information, as well as whoever processes payments for LL.

To be clear, I am not saying something didn't happen.  But if you haven't reported this potential breach then you have done nothing to help the situation.

[Perrie Juran]

---

Nicolette Lefevre wrote:

 

I'm not actually blaming LL for what happened. They are big enough that they are a high-profile target for hackers. And that means sooner or later someone will get you. I posted here so that they'll know about this and can start looking for how it happened. Because that's the only way to make sure that it doesn't happen again.

---

I am going to say something here now.

You claim over ten years experience administering webservers and you posted to a Forum to let LL know there is a problem?

Are you kidding  me?

Seriously?

If you were my webserver administrator you'd be looking for a new job yesterday.

Yeah.

I'm just some random Martian who uses a computer to play around on the Internet and even I know you contact security and/or abuse @ the providers domain.  Companies use these as defacto addresses for this purpose to keep things simple for everyone.  But even then I double checked LL's website to confirm where to report security problems before I posted the E Mail address above.

And to be clear again, I am not saying a breach didn't happen.

Sheeeesh

 

 

eta:clarity

[Griffin Ceawlin]

---

Perrie Juran wrote:

---

Nicolette Lefevre wrote:

I posted here so that they'll know about this and can start looking for how it happened. Because that's the only way to make sure that it doesn't happen again.

---

You claim over ten years experience administering webservers and you posted to a Forum to let LL know there is a problem?

---

LOL. That is funny.

@OP: Doubtful anyone at LL will read your post unless it's flagged for the mods.

[Czari Zenovka]

---

Syo Emerald wrote:

But its still pretty baseless to assume LL would be behind this spam attack.

But then again this proves that 100(!) different email adresses are pretty useless. :matte-motes-stress:

---

I was thinking that (on both counts).  I have several different email addresses but basically just use one for everything.  I've also used PayPal since pretty much when it came out because, at the time, I was purchasing things on eBay and PayPal was being touted as a more secure online payment method.  I've never received any of these PayPal phishing schemes.  Once in awhile I receive a phishing email from WoW, but those are apparently fairly common.

I'm inclined to agree with the geographically-based email attack.

[Pie Serendipity]

---

Griffin Ceawlin wrote:

@OP: Doubtful anyone at LL will read your post unless it's flagged for the mods.

---

I have tried being rude about the Mods in this thread to try and attract them here.

But so far, no warnings, no bans, and no statement that all email addresses are written in invisible ink on the gossamer wings of magic dragonflies and could not possibly be hacked.

Ain't it always the way, when you need their attention they are looking in the other direction.

 

[KarenMichelle Lane]

Mmmmmmm,

10's of thousands of people with SecondLife Accounts  use PayPal to make payments and transfer USD balances to. Thank you for the Heads-Up however, I'll just wait a bit before jumping on the Let's crucify Linden Lab bandwagon until we get a few more indications that a MASSIVE Account security breech has occurred.

So far I've seen a single mention of another SL Account Holder being sent a PayPal Phishing Scam Email this last week.

The jury is still out.

 

P.S. I use PayPal as an accepted payment method for my real life businesses and I'm used to seeing  these scams. I've received them on my Primary PP account email as well as my staff email addresses when we don;t use these addresses for anything other than making demands for payment to our customers. I'm sure many of our customers PCs are compromised but this is not my issue.

[Ivor Rident]

Hello everyone,

I'd like to join this new SL community. Just a few mins ago my "SL-only used" mail forwarding was tried to be tricked into some "Paypal information update".

 

Just wanted to let you know that more accounts are involved, not just one or a few (rememberring those who do not participate in this forum at all, so dont know about this thread).

 

This are the facts I could gather from that mail :

Programme used for sending : PHPMailer 5.2.2-rc2

mail adress spoofed as : service@paypal.de

original mail adress : repsol2007@me.com

Link I should click and follow to:

hxxp://6i6tmnrw.gff23.com/de/?...bla bla bla yadda yadda

 

Could some real full admin or better a LL network specialist and security supervisor take care of this issue ?!

With kind regards,

Ivor

[Freya Mokusei]

Suggest you remove that link, or swap the first part from http:// to hxxp:// so that it doesn't become clickable. Posting links containing probable malware is a quickfire way to get a slap.

This issue has nothing to do with LL (anyone can send you spam, LL didn't send it), and they don't read this forum.

If you really want to waste LL's time with this, see the Email address provided earlier in the thread. Again, phishing Emails are incredibly common, your data is your own duty to protect, none of this is any kind of big deal.

[Nicolette Lefevre]

I agree about the link. I would even go a step further. Ivor, you should remove everything before the gff23.com and everything after the "?". Because quite frankly, by posting that link you actually told everyone here your email-adress. It's encoded in the link.

And Freya, I see you still think that this is not SL's fault, even though every single piece of evidence is clearly pointing in that direction.

[Freya Mokusei]

I don't have any patience left to deal with you. If you've got actual evidence, paste it. I've asked you for this repeatedly and seeing as you don't, I'm just left to assume you're not interested in investigating the issue.

I'm not going to deal with vague probabilities and the assumption that you have any grasp of data discipline - I've seen no evidence of anything that you claim. As I said on page 1, I don't deal in hypotheticals and imaginary suspicions.

If others have questions I'll do my best to answer, but it's not my job to teach someone who claims 2 decades in the IT industry how to profile an attack on their own data. This is security 101.

I've got stuff to do.

[Wolfspirit Magic]

As a response to my Group Notice send out according to paypal phishing in the official Firestorm Support Group for Germany, I got many responses of people who got that mail. Everyone who got that mail, got that mail via a mailadress either used or was used for Secondlife. Also nearly every (german) friend of me got that Mail, too. I assume that especially mailadresses with ".de" were targeted as the mail is written pretty well in german. Once you enter data into the form, the link gets invalid and redirects to google with the search query "paypal.de" for me, which is a wrong redirection in the attackers sourcecode in my opinion (redirect to paypal.de not http://paypal.de for example, which fires the local search engine). I assume that the attacker has a database with all mailadresses he send out and checks if the link was used before. (the mail is encoded via base64 in the url) Supportchat of LL is not helpful and told me that he can't do anything and that only staff can see the mailadress and that the staff does not send out phishing mails (great support). However there were mails going to LL and I hope there's a response soon.

[Nicolette Lefevre]

What do you want me to paste? Error-logs from LL's own servers that prove how they were hacked? I naturally do not have access to those. Or my own mail-server logfiles? Not gonna happen as that logfile contains private information that I'm not going to disclose. The header-lines of the emails? They also contain information that could identify me, and without that information the header-lines of the emails would be useless.

And to state it yet again: I have 8 different email-adresses that I use for SL and for nothing else. All of them have received the same phishing-email. The emails differ only slightly in the link-URL (which contains the encoded email-adress) and they have several different senders. The text of the emails is the same in every single case. These 8 emails arrived over of a 4-hour timeframe yesterday. My affected email adresses each contain several random numbers that make it highly unlikely that they can be "guessed" by a brute-force attack. I'm hosting the mail-server myself, so my email-adresses can also not be found by hacking some 3rd-party email-provider.

I have about 100 email-adresses in total. None of the non-SL adresses have received this phishing-email. Not a single one. The statistical chance of this being just a coincidence is about 1 in 186 billion. So for all practical purposes that rules out the possibility that my own server was hacked. Because if that were the case, not only the email adresses used for SL would be affected, but all of them.

There are other reports here in this thread that people have received the same phishing-email to an email-account that they only use for SL.

Now, what more do you want before you come out of denial?

You are not helping at all here. So why don't you just do what you promised several times, and just leave this thread alone?

[Freya Mokusei]

Redacted mail headers would be lovely, a backtrace on the senders IP, tracking the whois, seeing if they've attacked you before, malware testing results, literally anything that can establish a visible reason for them to have found your address. You keep talking about evidence, but all you talk about is email accounts and probability - if you have anything that gives you an actual reason to suspect this had anything to do with your Second Life account, the security of the Second Life platform or your experiences on Linden Lab web services then PASTE THIS EVIDENCE - otherwise you're just making assumptions (this is how evidence works).

Hunt through the LL payment process (if that's where you think the fault is) and look for stray scripts or unencrypted information, XSS whatever. Check your cookies, check for exploits in your network and system. This is supposed to be your job, I'm not going to instruct you every step of the way.

Work with the other posters here to see if you all got hit by the same attack - at the moment the only thing you have in common is the word 'Paypal' (though one other person mentioned the same target domain). This isn't even the beginning of correlating information. If I claimed a company had been hacked every time I saw a phishing scam I would be a very busy person.

You persistantly ignore that other people, without SL email addresses have ALSO received this phishing mail. It doesn't - by any stretch of the imagination - seem to have anything to do with LL, just bad luck and poor control of your own data. Like it or not, you're ignoring FACTS when you discard this. These facts may very well help you to figure out where your problem came from.

You seem to still be blaming other services for this, something about third party hacks? I have no idea, you seem to just be spinning in circles. It's most likely that you gave this data away yourself - no-one would need to guess or do anything. You don't seem to have investigated this at all and yet you've decided that a service that reliably serves tens of thousands of people daily has a leak because MAGIC.

There's no denial, because you've not built any kind of case for this. You can't just say "I got phished therefore LL has been hacked." - that's nuts. Talk serious, or talk to someone else.

[Tari Landar]

---

Nicolette Lefevre wrote:

 

There are other reports here in this thread that people have received the same phishing-email to an email-account that they only use for SL.

Now, what more do you want before you come out of denial?

You are not helping at all here. So why don't you just do what you promised several times, and just leave this thread alone?

---

Ok now I'm really scratching my head here. Aren't you also failing to notice the reports people are making about email accounts NOT attached to sl in any form, also getting the exact same phishing attempt? I'm pretty sure others aren't intentionally trying to be in denial about anything. If anything I think everyone here has been pretty damn helpful, as far as us peon residents can possibly be(I mean no disrespect, we're all peons to ll, lol). The folks at ll aren't even going to likely look at this thread, much less do anything about it. So, folks, are trying to help. Yes their help may not help you, that's a given with anything we post here. That doesn't mean it won't help someone else. So trying to act like this thread is all about you, simply because you chose to post, is a bit one sided in and of itself. Now acting holier than thou, out of frustration I am sure everyone can sympathize with, is only going to get people who may be able to help or want to help, decide you're not worth the text. That hardly seems productive to me.

You're being overly hostile, again I can see out of frustration, but you're directing it to the wrong people. Even if their advice was crap-and I don't personally believe it is, it's very helpful in numerous ways even if not to you-my mother always taught me it's best to say thank you anyway, just because they tried. I may be considered odd for that, but I'll take it.

I'll say it again, people, all over the web, all over the world, have been recently hit by phishing attempts and even outright hacks. That doesn't necessarily mean they were all hit by the same person, people, or program-whichever is running it. But it also doesn't mean there isn't any possibility that they are related. So perhaps not looking at it from the direction you are looking at it(pinpointing it on ll, which yes, you are doing, and apparently cannot see this, I can since it's not my email, this time, with the attempt) would be a great idea.

I don't personally care what anyone's experience in, well anything, is. No one is an expert at everything, including their own field. No matter how long you've been doing that. I learned that a very long time ago. Since I'm not that old, I consider knowing this, and living by it, more of a handy helper than a hinderence. Again, I'm probably a bit odd for thinking so. You're no expert either, no one is. No one can possibly know anything and everything. No one can possibly fix anything and everything. It's never a good idea to assume everyone reading, is an idiot. That's how you're coming across. You never know, maybe someone reading can help, offer insight, it's entirely possible your abrasive attitude will drive them off faster than drive them to help.

That's friendly advice, not meant to be mean or, sound as if I'm bashing you, because I'm really not. I just hardly see how you're helping your own self here, at all.

[Phil Deakins]

---

Freya Mokusei wrote:

To be clear, I never ridiculed you.

I asked for information, you stonewalled. I provided other cases that don't match your hypothesis, you repeatedly ignored.

There is nothing more I can do.

---

I've read all of this thread so far (up to the post I'm replying to) and, to be fair, Freya, the evidence/experiences presented does weigh heavily on the side of the email addresses coming from LL's end.

[Phil Deakins]

I can't let your post go without responding, Freya.

---

Freya Mokusei wrote:

Suggest you remove that link, or swap the first part from http:// to hxxp:// so that it doesn't become clickable. Posting links containing probable malware is a quickfire way to get a slap.

This issue has nothing to do with LL (anyone can send you spam, LL didn't send it),

and they don't read this forum.

If you really want to waste LL's time with this, see the Email address provided earlier in the thread.

Again, phishing Emails are incredibly common, your data is your own duty to protect,

none of this is any kind of big deal.

---

Nobody has suggested that LL send the phishing emails, so those words were wasted.

However, if the various reports in this thread are correct, and we have no reason to doubt them, it definitely IS something to do with LL in that the emails addresses were acquired from LL's system one way or another. You can't keep on believing that it's just the OP who made a mistake somewhere when other people in this thread have reported exactly the same thing. The evidence weighs heavily towards a breach at LL's end.

I'm sorry, but that's rubbish. Data at MY end is for me to protect. Data at LL's end (e.g. our email addresses) is absolutely for LL to protect.

[Phil Deakins]

---

Freya Mokusei wrote:

I don't have any patience left to deal with you. If you've got actual evidence, paste it.

---

You keep finishing with this thread but you keep posting more.

The OP posted evidence in the first post. Other people have posted evidence too. It seems like you'll only settle for proof rather than mere evidence.

I should comment on the 'evidence' that the phishing isn't just aimed at SL dedicated email addresses. The fact that that is so does not mean that emails addresses were not lifted from LL's end. The fact that the dedicated SL email addresses of several people in this thread and, I would assume, many more who don't use the forum, were included in the phishing does mean that they were lifted from LL's end. I don't see any other conclusion that can be drawn.

[Freya Mokusei]

I'd be impressed if you have enough information to make that judgement, Phil. I can't vouch for the integrity of any network except those under my direct control. Skepticism is good, and correlation is not causation. Reading isn't enough either I'm afraid, have you examined author domain? This isn't any skilled outfit.

Remember that anyone posting here is going to have an SL account - look on the wider Internet for this attack affecting non-SL accounts.

Also - obviously - any issue caused by a compromised system or network, hijacked sessions, browser exploits, blahblahblah is NOT LL's responsibility. Account data integrity is a serious issue in SL, and LL know how to protect it (they've had such leaks before, none of the markers match) from script kiddies playing Go Phish. The only claims that it could have something to do with LL are phrased in such a way that I doubt there's much induction behind them.

I'd need something a lot more concrete than "Well because I said so" to agree with someone who claims LL's been the victim of a breach or leak.

[Freya Mokusei]

---

Phil Deakins wrote:

You keep finishing with this thread but you keep posting more.

The OP posted evidence in the first post. Other people have posted evidence too. It seems like you'll only settle for proof rather than mere evidence.

---

I'd love for the OP to give me something even remotely supporting of their assumptions. Other people posting "I got Email from PayPal too" doesn't add anything to the OP's cause until they can determine that the attacks were connected. As I've said repeatedly PayPal is big phishing target, using a single Email as an excuse to scream HAX is not how you investigate this kind of attack.

And yeah, I know I should've left this thread by now. The OP re-engaged me specifically and deliberately, and continues to do so. If they want help investigating this issue I can help them, if they don't want help then I'm happy to let this thread die.

I'm not going to sort through this whole thread. I appreciate your feedback but I feel that I've handled this well and I'm confident in my decisions but I'm not going to jump back into this whole mess again - if you want to help the OP, have at it.

[Phil Deakins]

The only information I have is what is written about dedicated SL email addresses, by a number of people, in this thread, Freya. It's all I have to go on. And the fact that it appears to be a lot more than just the OP, weighs heavily in the favour of those addresses being acquired at LL's end. The fact that the phishing is aimed at other, non-SL, .de addresses is irrelevant.

What you can't do is what you've been doing throughout this thread - blaming it on the OP. You might have been able to if the OP was the only one but there are many more people with dedicated SL addresses who have also received the phishing email at those addresses.

I disagree with you as to whether or not it's LL responsibility. It IS LL's responsibility to protect our private data, which includes our email addresses. I know that any protection cannot be absolute, but if/when it is breached, then it is most definitely LL's responsibility to take steps to try and ensure that it doesn't happen again.

You said that you need something more concrete... How many people who receive the phishing email at their dedicated SL email address do you want before you accept that it's not likely to be each individual's own fault?

[Phil Deakins]

---

Freya Mokusei wrote:

I'd love for the OP to give me something even remotely supporting of their assumptions.

Other people posting "I got Email from PayPal too"

doesn't add anything to the OP's cause until they can determine that the attacks were connected.

---

You are forgetting about those who posted that they got the email at their dedicated SL email address. It's those who show that it's not the OP who has inadvertently made a mistake somewhere. If it were just the OP's dedicated email address, I couldn't argue against your posts. But it's not just the OP's addresses. Other people have said that they got the email on their dedicated SL addresses.

 

ETA. Someone posted that sites like SL do get hacked for email addresses. Don't you think that's true? If it's true, then, together with the multiple reports of SL-dedicated email addresses that received the phishing email, it does seem very likely that those email addresses were lifted from LL's end.

[Freya Mokusei]

I'm tired of this, Phil. I'm not going to address each point because there's nothing new to add.

'Many more'? No. If everyone in the world who recieved a phishing Email that said PayPal on it responded to my thread yesterday (all hundred million or other imaginary number), would this have proved the leak was somewhere in SL? No. It means nothing until you work out the common cause. For example, Germany's going through a political election at the moment - do German citizens have the capability to vote online or by Email? Maybe there's some market in getting this information now? This is a completely fictional hypothetical that is WAY more likely than anything suggested by those who recieved PayPal messages (one of whom stated that LL support are the only people who can see personal Email addresses, and said that this was 'suspicious', lol).

'Dedicated SL address' means naff-all. Maybe they had Gtalk, Skype or other secondary services going through the same point. Maybe they have their login information saved to their browser, maybe there was a plaintext cookie. Maybe they followed a Mumbai-based link on the Forums and their PC was exposed, maybe they logged into SL from a public wifi hotspot. Who knows. I don't, I've seen nothing that means I should credit the OP with having tested for these things.

Data protection is a thing, obviously. You're completely right that if there had been a breach, LL have an obligation to inform us and/or investigate the cause. No-one knows what goes on inside SECJIRA, but LL have historically been very quick to notift the userbase when any account information is compromised. This supports my position. I don't know US law brilliantly, but I know California has several provisions in place for this type of thing.

I have examined the origin server, I tracked the phishing shot as it jumped around yesterday morning almost in real time. I'm happy with my assessment that the OP is jumping to conclusions. You're welcome to do your own investigation, as I have encouraged the OP to do. I am satisfied.

Is this enough? I'm happy to be proven wrong, as usual, but I've seen very little in the way of useful, informative suggestions or ANYONE willing to correlate their information with others. At the moment everyone just seems happy to poke holes in what I'm saying rather than finding answers for themselves.

[Phil Deakins]

---

Freya Mokusei wrote:

'Many more'? No. If everyone in the world who recieved a phishing Email that said PayPal on it responded to my thread yesterday (all hundred million or other imaginary number), would this have proved the leak was somewhere in SL? No.

---

One thing is certain. Those SL-dedicated email addresses were acquired from somewhere. On that, we can agree.

It's true that an email travels the world, and passes through many systems, before it reaches its destination, and the addresses could have been garnered from some of the systems. It's also true that the many thousands of addresses were most likely gathered over a long period of time and, now that they are on the list, they'll no doubt be used for years by phishers and spammers.

In the OP's case, there is one helluva coincidence that, out of ~100 addresses, only the SL-dedicated ones received the phishing shot, even though the OP has been using other addresses. That alone does suggest that the addresses were acquired from LL's end. If it weren't for that, then each dedicated address that received the scam could be put down to  being picked up somewhere along the way when it was used or from a major site, such as gmail, being hacked. One site with lots of email addresses that are worth acquiring is, of course, LL's.

Putting the OP's experience, and the fact that it's his/her own mail-server and not something like gmail, together with the other experiences of dedicated addresses, the balance of probability is, imo, that the dedicated email addresses were acquired at LL's end.

[Freya Mokusei]

---

Phil Deakins wrote:

One thing is certain. Those SL-dedicated email addresses were acquired from somewhere. On that, we can agree.

---

Definitely. I'm not out to deny reality.

I'd disagree that anything 'suggests' a common point of collection at this stage - we don't know enough about the local networks or the way they're configured OR anything about the user's behaviour or activity regarding their mailserver. I admit I have some significant faith in LL's data-handling competance, but it's faith that I don't accrue very commonly for US-based web services - they're not daft but the phisher is, and this doesn't add up.

I'm happy to believe in coincidence - I run several large-scale mailservers myself - I've seen Email accounts that are NEVER listed and never used still pick up spam. I've seen spammers send Emails to accounts that don't exist (even to ones that couldn't exist). Weird attack profiles are suspicious, but they're not indicative on their own. They also generally reveal more about the targets behaviour than the origins behaviour.

You're right about the weirdness involved by having the OP's SL addresses targetted, this is why I wanted the OP to do some actual detective work. They claim to have the skills, but they've been far too happy to throw the blame on LL at the first chance they got. I can't diagnose other peoples' networks for them and there's no incentive to help people who aren't looking to be helped. It would've been interesting to see the common cause there, but oh well.

[Czari Zenovka]

---

Ivor Rident wrote:

Hello everyone,

I'd like to join this new SL community. 

---

I'm confused - you would "like to join this new SL community" but you joined SL in 2007.  (Great year, btw. )  Maybe you mean the forums, or maybe you're returning to SL.

Either way, welcome.