Dilbert Dilweg Posted September 24, 2013 Share Posted September 24, 2013 You can forward email scams to pay-pal by forwarding the email to them @ spoof@paypal.com Link to comment Share on other sites More sharing options...
Perrie Juran Posted September 24, 2013 Share Posted September 24, 2013 I am again going to repeat what I said earlier in this thread. Anyone who has had this happen needs to send a note to security@lindenlab.com with all the pertinent information. And can the hyperbole when you do. 'Just the facts, Mam.' Now that said, what is really curious and puzzling is why is it only people with .de addresses this is happening to? Why isn't the Forum getting comments from people from other domains? (yeah, and now that I have said something, watch it happen ) I've been following this as well as other SL Centric Forums and Blogs for several years. Every "I got Phished" thread I have seen, when we dug into it, we turned up the User error. I myself almost fell for one once. And I'm fairly savvy on good Internet practices. So yes, I get a little skeptical. But again, to be clear, I am not saying it did not happen. Nicolette, have you contacted LL yet through the proper channels? Seriously, this thread has just degraded into a lot of gum bumping. Link to comment Share on other sites More sharing options...
Solar Legion Posted September 24, 2013 Share Posted September 24, 2013 Nicolette Lefevre wrote: I agree about the link. I would even go a step further. Ivor, you should remove everything before the gff23.com and everything after the "?". Because quite frankly, by posting that link you actually told everyone here your email-adress. It's encoded in the link. And Freya, I see you still think that this is not SL's fault, even though every single piece of evidence is clearly pointing in that direction. Newsflash for you - I have e-mail addresses which are used for Second Life, I have an e-mail address that is used for PayPal. Neither of them has gotten this phishing attempt - or any phishing attempts. It's not Linden Lab - if it were, everyone that has ever used PayPal to pay them would have goten it. Link to comment Share on other sites More sharing options...
Wolfspirit Magic Posted September 24, 2013 Share Posted September 24, 2013 Do you have a ".de" Mailaddress? If no, then this will explain why you did not get that phishing attempt. All my other Mailadresses with ".eu" Domain did not get it. Just the two with ".de". And it has nothing to do with paypal as the Mailaddress I used was never used for paypal.In my opinion it's an attempt on many german Secondlife mailaddresses focusing on people who might use paypal (like many people in secondlife do). Nearly every german friend I talked to yesterday got that mail to their SL Mailaddress, no matter if they use paypal or not. It's not just one. I send the plain mail to secure@lindenlab.com but didn't got a response yet. Not sure if that account even is checked. I might open a jira ticket maybe. Link to comment Share on other sites More sharing options...
Solar Legion Posted September 24, 2013 Share Posted September 24, 2013 Wolfspirit Magic wrote: Do you have a ".de" Mailaddress? If no, then this will explain why you did not get that phishing attempt. All my other Mailadresses with ".eu" Domain did not get it. Just the two with ".de". And it has nothing to do with paypal as the Mailaddress I used was never used for paypal. In my opinion it's an attempt on many german Secondlife mailaddresses focusing on people who might use paypal (like many people in secondlife do). Nearly every german friend I talked to yesterday got that mail to their SL Mailaddress, no matter if they use paypal or not. It's not just one. I send the plain mail to secure@lindenlab.com but didn't got a response yet. Not sure if that account even is checked. I might open a jira ticket maybe. Domain is irrelevant - a breach of Linden Lab's repository of e-mail addresses would have resulted in far more than just a single region getting such a Phishing attempt. The fact that the attampt was for PayPal accounts and not Second Life accounts is quite telling as well. To restate: If the leak had come from Linden Lab, the phishing attempt would not have been limited to a single regional domain, it would have been tailored and sent out for all regions. The phishing attempt was for access to PayPal account information not Second Life account information. It was targeted at those who have used or may in the future use PayPal for payments. In this very thread, at least one other poster has stated that their Second Life e-mail address was not tagged, their PayPal address was. Furthermore, the last time there was a security leak, there was a warning issued about it. Link to comment Share on other sites More sharing options...
Phil Deakins Posted September 24, 2013 Share Posted September 24, 2013 Solar Legion wrote: Newsflash for you - I have e-mail addresses which are used for Second Life, I have an e-mail address that is used for PayPal. Neither of them has gotten this phishing attempt - or any phishing attempts. It's not Linden Lab - if it were, everyone that has ever used PayPal to pay them would have goten it. This is also a reply to your later post... Since it is only .de addresses that get it, it's reasonable to assume that the email was in German and wouldn't be understood by non-german speaking people, or that there is some other reason for only sending it to German people. And, if that's the case, then your bolded statement wouldn't apply. Link to comment Share on other sites More sharing options...
Phil Deakins Posted September 24, 2013 Share Posted September 24, 2013 Freya Mokusei wrote: Phil Deakins wrote: One thing is certain. Those SL-dedicated email addresses were acquired from somewhere. On that, we can agree. Definitely. I'm not out to deny reality. I'd disagree that anything 'suggests' a common point of collection at this stage - we don't know enough about the local networks or the way they're configured OR anything about the user's behaviour or activity regarding their mailserver. I admit I have some significant faith in LL's data-handling competance, but it's faith that I don't accrue very commonly for US-based web services - they're not daft but the phisher is, and this doesn't add up. I'm happy to believe in coincidence - I run several large-scale mailservers myself - I've seen Email accounts that are NEVER listed and never used still pick up spam. I've seen spammers send Emails to accounts that don't exist (even to ones that couldn't exist). Weird attack profiles are suspicious, but they're not indicative on their own. They also generally reveal more about the targets behaviour than the origins behaviour. You're right about the weirdness involved by having the OP's SL addresses targetted, this is why I wanted the OP to do some actual detective work. They claim to have the skills, but they've been far too happy to throw the blame on LL at the first chance they got. I can't diagnose other peoples' networks for them and there's no incentive to help people who aren't looking to be helped. It would've been interesting to see the common cause there, but oh well. Unlike you, Freya, I'm not happy to believe in the coincidence that the OP's only 8 SL-dedicated email addresses, out of ~100 in total, were the only ones to receive the email. That would be much too big a coincidence for me to swallow. Emails are sent to email addresses that have never been created every day. We know that. In fact I think it was you who posted about the brute force method of spammers. Having a number of websites, I see it every day in my inbox, and I've no doubt that some of the addresses that are made up by spammers actually exist and get through. That's why they do it, and that's why you see what you described in your second paragraph. But it's not relevant to this phishing scam. Link to comment Share on other sites More sharing options...
Wolfspirit Magic Posted September 24, 2013 Share Posted September 24, 2013 Domain actually is relevant. If I'd have a big list of mailaddresses, I would at first choose one region (and not english .com as that will be to obvious if I got the mails somehow from an english/american company), write a mail in that language, choose one widly used payment method and ask the user for more information. Who knows if the attacker maybe just got the german addresses somehow? The mail itself is not written in the usual "bad german" (except of a few typing issues), but even had html formatting in it. At the first view the mail looks professional. As a professional attacker is not interested in SecondLife Accounts but the money on the paypal accounts, I don't know why you think it's telling that the attempt was for Paypal. Who in SL does not use Paypal? The website behind the phishing even wrote the mailaddress into the fake login form. The attacker seems to assume, that everyone who uses the mailaddress also uses it for paypal, which was wrong for both my cases. As I said earlier the mailaddress I used was some random characters for registration in Secondlife (e.g. lraa@mydomain.de). I never used that mail anywhere else (no paypal or any other side, not even set up as specific mailaccount as it's a catchall address). The only 3 parties who knew it were LL, Google as my mail provider (but only cause of the mails I already got from LL) and LL itself. Once I clicked that link (for testing purpose) the fake paypal form showed "lraa@mydomain.de" as login. That means the attacker does not know if there even is a paypal account behind it. However the malicious script seems to be removed from the domain and the server was reinstalled (looks like). Maybe the server was hacked and the owner found that. Still it feels weird that Link to comment Share on other sites More sharing options...
Solar Legion Posted September 25, 2013 Share Posted September 25, 2013 Nope - the domain is irrelevant. Someone whom had lifted addresses from Linden Lab's system would not be targeting PayPal accounts exclusively nor would they have limited the attempt to a single region (gee, if it was so professionally done, you'd think they'd find it trivial to properly format it to be sent from several different locations to region match each and every Second Life associated address). It has also been noted that Linden Lab tends to notify users if their system is breached - this way they have a bit of warning and can alter their information if need be. There was no such notification made. You are kidding yourself if you honestly believe that your r-mail address is known only to you, Google and Linden Lab. I have had friends who swear up and down that there is no reason whatsoever for them to be getting as much spam as they do, let alone some of the phishing attempts they have gotten regarding services they do not even use. Not a one of them having a thing to do with Second Life. "No one else could possibly know that e-mail address!" Bull. In your case, the leak is far more likely to have come from Google's end of things. The amount of spam that a gmail address gets is insane. Sorry, I simply do not see the evidence for such a leak coming from Linden Lab. Region limited, at least one user has stated that the e-mail that was targeted was NOT associated with Second Life, further attempts in other regions being absent ... To be very blunt - and this isn't directed solely at you - any time I see anyone claim that their supposed experience in any IT related field or with any IT skill somehow precludes an error on their part ... I laugh. Long and loud. The only truly secure system is an utterly isolated system, unconnected to the Internet itself in any manner whatsoever. Frankly, any time someting like this occurs, the user is always quick to blame Linden Lab, their ISP, their mail provider ... anyone else. Yep, it's likely that one's ISP or mail provider could be the leak. Same with user error. Could it be Linden Lab? Distant enough possibility, going by their prior actions upon their system being breached. It's far more likely to be ISP, mail service or user error however. And that's ignoring all other means of obtaining an e-mail address. Link to comment Share on other sites More sharing options...
Wolfspirit Magic Posted September 25, 2013 Share Posted September 25, 2013 Nobody says, that the person behind the phishing attempts targets exclusive paypal or germany. It might be one of many waves. Who knows if the person might do a different region with a different mail (belgium or france for example) and another payment method in a month? The message was in German, there is no reason for the attacker to send the mail to everyone. All my other mailadresses (even my main google apps address) don't get many spam (maybe 2 mails per day, directly send to the spam folder, as it was the case with that mails, too) while I've 6 catchall domains and a googlemail address associated with it. That means, that I don't get much spam and I even take a look at what kind of spam I get. Otherwise I wouldn't have noticed. I use different catchall addresses nearly for every service. That means, that Google directly doesn't even know what mailaddress I use. Google just knows that it needs to redirect "*@mydomain.de" to my main google apps account. Sometimes (like in this case) I just use random characters. For example "lraa@mydomain.de", "exfg@mydomain.de","ssdv@mydomain.de", "blah@mydomain.de" are mailaddresses I use for different services or altaccounts. I mostly don't even know what mailaddress I entered for a special account. But that also means, that I can distinguish incomming mails by the mailaddress it was send to. The account was registered in 2009 and since then I only got mails from SL. No single Spam. But the phishing mail two days ago was send to the mailaddress used for secondlife (lraa). None of the others (exfg, ssdv, blah...). The only way Google could have known the mailaddress is, cause I already got mails from Secondlife to that mailaddress. There is a very little possibility that the leak came from there. But the leak is much more possible coming from LL. I also had a user who got that mail to a mailaddress which has nothing to do with secondlife but as I asked if the mailaddress was ever used for secondlife a while ago he said "yes, it was used for Secondlife but was then changed". That does mean that a leak might not be data from today but from a while ago. Around 80% of german people I asked in secondlife got that mail, while 0% of people I asked outside of SL got it. You mean LL is much more trustworthy then my ISP or Google? I don't think so. We all know that LL is not very transparent with what they do and what they don't do. In 2011 there was something similar happening and LL said it's spyware on the computers of the people getting the spam. Ignoring many people who say, that they do not have any spyware and have tried many different antivirus solutions non of them found anything. The fact, that it even targets e-mail aliases does speak pretty much against spyware as the alias usually is not configured anywhere. http://community.secondlife.com/t5/General-Discussion-Forum/Client-Data-leaks-from-LL/td-p/893203/page/6 It sure can be possible that the leak still is data from years ago. But did you get ANY information about a possible data leak back then? I didn't. In my personal opinion LL acts much more intransparent then any other company I know of and I assume that they will tell people that everything is caused by spyware on their computer again... (P.S.: Everything I wrote is my personal opinion) Link to comment Share on other sites More sharing options...
Freya Mokusei Posted September 25, 2013 Share Posted September 25, 2013 Perrie Juran wrote: I am again going to repeat what I said earlier in this thread. Anyone who has had this happen needs to send a note to security@lindenlab.com with all the pertinent information. And can the hyperbole when you do. 'Just the facts, Mam.' Now that said, what is really curious and puzzling is why is it only people with .de addresses this is happening to? Why isn't the Forum getting comments from people from other domains? (yeah, and now that I have said something, watch it happen ) Every "I got Phished" thread I have seen, when we dug into it, we turned up the User error. I myself almost fell for one once. And I'm fairly savvy on good Internet practices. So yes, I get a little skeptical. Seriously, this thread has just degraded into a lot of gum bumping. Hey Perrie, thanks for repeating all of this. I'm gonna repeat it again for ol' times sake. I shouldn't have engaged in arguing probability or liklihoods, it's turned everything into a quagmire - my only real concern was that the OP was going to blame LL for this (and have their post here lost in a black hole) while a potential security issue existed inside their area of control. The potential for this issue still exists, but it's up to those who've been affected by it to try and determine if there's any further risk to their data. Blindly dismissing this as "Well the fault is probably on LL's side" pushes this issue mentally outside of your view - it's convenient and saves you having to do any hard work, but it's a trap. Rule out everything you can see first. Next time a thread like this comes around, I think I'm just gonna throw Email addresses at people and run for it. I never really anticipated having to justify myself forever just to get people to take a look at the problem objectively, without just shrugging it off and throwing it at LL. They have some networking professionals for sure, but if this issue occurs anywhere outside of secondlife.com - if it's some intercept, some open browser/OS/memory/cookie exploit it's not their problem and those affected may still be at risk. The SEC team at LL will not look for faults outside of their job descriptions (they certainly won't look under every carpet) - the victims of this should look everywhere. If the SEC team don't find anything, they won't report anything, and data or user activity may be compromised further. They will also want a little bit more than just 'I got a phishing Email' in my experience. but it's not for me to argue against anyone who wants to involve them. Include facts, rule out some obvious traps, and for the sake of everything holy include the received headers. Good luck, etc. Link to comment Share on other sites More sharing options...
Phil Deakins Posted September 25, 2013 Share Posted September 25, 2013 Solar Legion wrote: Nope - the domain is irrelevant. Someone whom had lifted addresses from Linden Lab's system would not be targeting PayPal accounts exclusively nor would they have limited the attempt to a single region. That's the basis of your argument and it's wrong. What you wrote after it is, therefore, irrelevant. It sounds like you think that only email addresses that are also used with PayPal accounts were targeted, but there are reports in this thread to show that that's not true. Try the OP, for instance. What happens with spam and scams is that the email is sent to all, with the hope that some falls on fertile ground. Most doesn't, of course, but, unfortunately, some does, which is why the spammers and scammers keep going. You reject the idea of a scammer choosing to target a specific country, but there is no reason in the world to reject it. That's why your argument is wrong. Btw, it's "someone who" and not "someone whom". 'Whom' is a nice word to use. It has a feel about that suggest that the user has something up top - when it's used in the right places, of course. It has the opposite effect when it's used in the wrong places Link to comment Share on other sites More sharing options...
Phil Deakins Posted September 25, 2013 Share Posted September 25, 2013 Freya Mokusei wrote: I shouldn't have engaged in arguing probability or liklihoods, it's turned everything into a quagmire - my only real concern was that the OP was going to blame LL for this (and have their post here lost in a black hole) while a potential security issue existed inside their area of control. The potential for this issue still exists, but it's up to those who've been affected by it to try and determine if there's any further risk to their data. Blindly dismissing this as "Well the fault is probably on LL's side" pushes this issue mentally outside of your view - it's convenient and saves you having to do any hard work, but it's a trap. Rule out everything you can see first. You are still missing the glaringly big point. The OP has around 100 email addresses, and he runs his own mail-server. Of those 100 only 8 are used exclusively for SL and, therefore, 'known' by LL. Some of the others are in use as regular email addresses. Of the ~100, only the 8 SL-dedicated ones received the email. Please explain how that can happen without acquiring the dedicated addresses from LL's end. Note that, if the OP's mail-server is insecure, then he would have received the email on more than just the SL addresses. The other people who got the email just had one SL-dedicated email address, so they could be explained as not having been acquired from LL's end, but the OP is a special case because of the very telling 8 from 100. So I look forward to hearing how only the 8 received the email and none of the others in the same 'stable'. Link to comment Share on other sites More sharing options...
Freya Mokusei Posted September 25, 2013 Share Posted September 25, 2013 Phil Deakins wrote: Please explain how that can happen No. This is my whole point. I don't know, and I'm not going to try and guess. There's no point in me guessing (or even listing) the ways this can happen, it won't help anyone. All of this just wastes more of my time. We could argue about possible methods for weeks, only for the OP to eventually say "Surprise! The other 92 addresses are just forwarders!" or "Whoops! I listed those 8 publicly on a forum!" or "What do you mean <Imaginary Viewer> isn't legit, I use it for all my alts!" The OP should be investigating this strange behaviour, not throwing their hands up and waiting for LL to see a forum post. It IS suspicious, it IS likely relevant to how the information was obtained, and it DOES indicate that a larger issue may exist, but there's no reason to fold all of this under LL's umbrella so early. Since I suggested it was more likely to involve geography, we've had more people come forward to report this happening to *.de addresses - this is a good thing. From the observation that German users with *.com addresses haven't been reporting this (at least in this thread), we can maybe push to assume that the only thing the author of this attack had was Email addresses, not billing addresses - another (very) good thing. Keep going, keep trying to pin it down. Don't waste time on arguing about things it's impossible to know. Link to comment Share on other sites More sharing options...
Phil Deakins Posted September 25, 2013 Share Posted September 25, 2013 I asked you to explain how it can happen - not how it did happen. Realistic conjectures would have suited. You did come up with one though - that the other 192 addresses have never been used. It could be true but it's rather unrealistic. The OP may enlighten us. There's another one that I can throw in. If the thing happened an infinite number of times, then sooner or later, the OP's 8/100 would happen, and this may be the time. You accept that coincidence this time. I don't, because it's way too much of a coincidence for me to accept as being a realistic possibility. If some of the other 92 addresses are actually used, then those specific 8 addresses must have been acquired from somewhere where they are related. For instance, if only those 8 went through a particular system as they travelled the internet, and not the others, then I could accept that they may not have been acquired at LL's end, but that's also unrealistic. Try as I might, I can only come up with one location where those 8 addresses are 'known', either by storing or by passing through, but none of the other 92. That's at LL's end. Link to comment Share on other sites More sharing options...
Freya Mokusei Posted September 25, 2013 Share Posted September 25, 2013 Phil Deakins wrote: You accept that coincidence this time. I don't, because it's way too much of a coincidence for me to accept as being a realistic possibility. We've agreed that it was suspicious and warrants further investigation. I've accepted that it may well be worthwhile for the OP to involve the SEC team. The line between 'this implies' and 'this suggests' is a hazy one, and I think adding improvable hypotheticals to this discussion has damaged it enough already. Also sorry, I actually came up with three possible examples after 'improving' my post. There's a lot of ways that people can give away their own information. User error is far more likely than any networking issue, and far far more likely than a well-established system such as the LL payment process suddenly and spontaneously developing a leak - so far very little has been ruled out by the OP. Phil Deakins wrote: Try as I might, I can only come up with one location where those 8 addresses are 'known', either by storing or by passing through, but none of the other 92. That's at LL's end. This is what I mean by people in this thread ignoring the wider scope of the problem. You're seeing a zebra - a fault in a system that fails VERY rarely and whose security is taken VERY seriously. This is the danger of the OP only half-investigating suspicious events, where only they can provide facts. Link to comment Share on other sites More sharing options...
Nicolette Lefevre Posted September 25, 2013 Author Share Posted September 25, 2013 I have two actual email-accounts. Let's call them "myname@myprivatedomain.de" and "myname@myworkdomain.de". All the other email-adresses forward to one of those two. And all my email-adresses are on one of these two domains. Email for both domains is hosted on the same server and handled by the same program. So all the forwarding is done internally within this program. All my SL email-adresses are forwarded to "myname@myprivatedomain.de". Among a bunch of other aliases that also land in that inbox. Only the actual two mail-accounts will ever appear as my sender-adress. So I never sent any email from the email-adresses used exclusively for SL. These are receive-only. Some of the affected email-adresses are several years old, but the newest one was created in February of this year. So the leak must have happened sometime between now and late February. I have some adresses that are somewhat public knowledge. The "webmaster@" aliases for example. But also the actual account names. My work account is frequently used as a contact-adress on press-releases. None of those received these specific phishing emails. They get some spam and phishing of course, but they didn't get that specific phishing-email. None of my about 100 aliases got that one except the 8 ones used for SL. The only realistic possibility for those 8 ones to be targeted and none of the others is that the leak happened somewhere at LL. Or maybe at some subcontractor of SL that has access to them. Which would also make it LL's responsibilty IMO. Overall the email-adresses used for SL, account for a small amount of my incoming email. Probably in the 5-10% range. And of course my mail-client has auto-fetch of external images disabled. So don't even think of this being caused by some tracking-images in incoming emails. And yes, I do absolutely rule out "user error" on my part. If that were the case, then it would be very, Very, VERY unlikely that only the SL-adresses were affected. I've said it before, statistical probability for this being just a coincidence is about 1 in 186 billion. Link to comment Share on other sites More sharing options...
Phil Deakins Posted September 25, 2013 Share Posted September 25, 2013 I hadn't read the changes to your post when I wrote my reply. I only became aware of them when you mentioned them in your next post - the one I'm replying to now. Whilst one of your suggested possibilities could turn out to be true, they are a bit far fetched, to say the least. You are right to question it all. I have no argument with that. But don't forget that the most obvious solution is often the correct one, and there is no reason to discount the most obvious. Your previously-stated faith in LL's security is misplaced, imo, as we have seen a fair number of times in the past. And don't forget the realistic possibility of an employee simply taking email addresses for gain. The evidence we have all points at LL's end. It may turn out that it isn't at LL's end but, right now, it all points that way. Link to comment Share on other sites More sharing options...
Phil Deakins Posted September 25, 2013 Share Posted September 25, 2013 Curses! I'd forgotten the name of the OP (you) and I've been referring to you as 'he' - not 'she'. My apologies Link to comment Share on other sites More sharing options...
Freya Mokusei Posted September 25, 2013 Share Posted September 25, 2013 Nicolette Lefevre wrote: Or maybe at some subcontractor of SL that has access to them. Which would also make it LL's responsibilty IMO. Your opinion is noted, but it won't change reality. If this leak of your information didn't occur from LL's servers directly, it's irresponsible to yourself to assume that LL will investigate it. You owe it to yourself to investigate this. The rest of your post is illuminating and useful for those still interested in analysing this issue. Thanks. Link to comment Share on other sites More sharing options...
Freya Mokusei Posted September 25, 2013 Share Posted September 25, 2013 I disagree, but we've gone back to where I knew we would. I've had fun, and I understand your reasoning. Your posts are beginning to sound hyperbolic, so I am going to disengage before this thread gets even more contrived (and you have me creating alibi's for specific LL staff or something. ). It's okay to miss some of the edits I make to my posts, but unfortunately I can take some 20-40 minutes before I'm happy with a post. I don't expect anyone to wait, and try to keep all information accurate in the meanwhile. You believe something, great. I believe something else, great. When something that isn't just opinion appears, things will move forward. Or it won't move anywhere. Whichever. Link to comment Share on other sites More sharing options...
Phil Deakins Posted September 25, 2013 Share Posted September 25, 2013 Freya Mokusei wrote: Phil Deakins wrote: Try as I might, I can only come up with one location where those 8 addresses are 'known', either by storing or by passing through, but none of the other 92. That's at LL's end. This is what I mean by people in this thread ignoring the wider scope of the problem. You're seeing a zebra - a fault in a system that fails VERY rarely and whose security is taken VERY seriously. This is the danger of the OP only half-investigating suspicious events, where only they can provide facts. I don't see anyone ignoring wider possibilities. But the evidence we have so far all points at LL's end. Nobody has actually said that it WAS a leak at LL's end. All that's been said is that it looks like that's where the leak was. And it does I have no doubt that LL take security "VERY seriously", but I also know that their security fails from time to time. And don't overlook an employee simply taking the addresses. Link to comment Share on other sites More sharing options...
Solar Legion Posted September 25, 2013 Share Posted September 25, 2013 Sorry Phil - you're wrong, period and on all counts. Nowhere did I state that PayPal linked e-mail addresses were the targets. I said that PayPal accounts and potential accounts were the targets. One's e-mail address need not be linked to an existing PayPal account to have been sent such a phishing attempt. I reject the idea of someone who has breached Linden Lab's address database targeting a single country/region simply because it is not logical to assume someone with the information that database contains would target one region exclusively. Oh - and do not ever lecture me concerning grammar, kid. I don't give a crap. Link to comment Share on other sites More sharing options...
Wolfspirit Magic Posted September 26, 2013 Share Posted September 26, 2013 That is one thing a professional Attacker might hope for: People that don't think of a data leak cause they did not get a message and don't think it's logical to not target everyone at once. Why is it so hard to believe that someone might not attack everyone at once? Still nobody says, that germany is the only target. As the mail was in german the current wave looks like german only. The attacker might go and write a new mail in another language for another country soon. There are many points a region based target is better for the attacker then attacking everyone at once: - Localized Mail targets more people of that country then a default english mail. - There might be a much lesser "Be careful there is phishing going on" warning inside the community. And mostly only within that region (germany for example). Once that has sattled down the next wave in another country mostly comes without a warning. - The servers the attacker is using might not be able to handle so much traffic to target everyone. - The company the data was leaked from (in this case possibly LL) might not assume a data leak, as the requests only comes from part of the sl community and in this case many germans don't speak english so they don't go and contact LL, but just delete the mail. As I said before the mails were not linked to paypal and got a paypal phishing attempt anyways. They were used only for Secondlife. I don't really understand your point with "One's e-mail address need not be linked to an existing PayPal account". Link to comment Share on other sites More sharing options...
Phil Deakins Posted September 26, 2013 Share Posted September 26, 2013 Solar Legion wrote: Sorry Phil - you're wrong, period and on all counts. Nowhere did I state that PayPal linked e-mail addresses were the targets. I said that PayPal accounts and potential accounts were the targets. One's e-mail address need not be linked to an existing PayPal account to have been sent such a phishing attempt. I reject the idea of someone who has breached Linden Lab's address database targeting a single country/region simply because it is not logical to assume someone with the information that database contains would target one region exclusively. Oh - and do not ever lecture me concerning grammar, kid. I don't give a crap. Me? I didn't lecture you on your grammar. I corrected you on the misuse of a word, and that's not grammar. Perhaps you are mistaking me for someone else? I didn't say that you said, "... that PayPal linked e-mail addresses were the targets". I wrote that it sounds like you were saying it. The way you wrote something made it sound like that's what you were saying. Now it sounds like you may believe that it's been suggested here that someone got access to LL's database and only took .de email addresses. If that's what you believe is being suggested by anyone in this thread, you are wrong, and you should read the thread again. If it has been suggested, then you would be right to reject the idea, but it hasn't been suggested. But if that's not what you believe, you can reject what you like, Solar, but it makes no difference whatsoever. Your rejection is neither evidence nor a conclusion based on the evidence. The evidence we have here indicates that someone targeted .de email addresses; i.e. a specific country. All the rejections in the world doesn't change that one bit. But if you'd chosen to think about it a little more, you would have realised that targeting the emails of a specific country is completely irrelevant anyway. What's relevant is the SL-dedicated email addresses, and how they were acquired. I hope that helps Link to comment Share on other sites More sharing options...
Facebook
Instagram
Twitter
YouTube
Flickr
Recommended Posts
Please take a moment to consider if this thread is worth bumping.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now