PayPal Phishing Attempt

[Solar Legion]

---

Phil Deakins wrote:

---

Solar Legion wrote:

Sorry Phil - you're wrong, period and on all counts.

 

Nowhere did I state that PayPal linked e-mail addresses were the targets

. I said that PayPal accounts and potential accounts were the targets. One's e-mail address need not be linked to an existing PayPal account to have been sent such a phishing attempt.

 

I reject the idea of someone who has breached Linden Lab's address database targeting a single country/region simply because it is not logical to assume someone with the information that database contains would target one region exclusively.

 

Oh - and do not ever lecture me concerning grammar, kid. I don't give a crap.

---

Me? I didn't lecture you on your grammar. I corrected you on the misuse of a word, and that's not grammar. Perhaps you are mistaking me for someone else?

I didn't say that you said, "... 

that PayPal linked e-mail addresses were the targets

". I wrote that it sounds like you were saying it. The way you wrote something made it sound like that's what you were saying.

Now it sounds like you may believe that it's been suggested here that someone got access to LL's database and only took .de email addresses. If that's what you believe is being suggested by anyone in this thread, you are wrong, and you should read the thread again. If it has been suggested, then you would be right to reject the idea, but it hasn't been suggested.

But if that's not what you believe, you can reject what you like, Solar, but it makes no difference whatsoever. Your rejection is neither evidence nor a conclusion based on the evidence. The evidence we have here indicates that someone targeted .de email addresses; i.e. a specific country. All the rejections in the world doesn't change that one bit. But if you'd chosen to think about it a little more, you would have realised that targeting the emails of a specific country is completely irrelevant anyway. What's relevant is the SL-dedicated email addresses, and how they were acquired.

I hope that helps

---

Phil, drop the semantics BS - it doen't fly with me. By stating what it sounds like or looks like I have stated, then following through with it as you did (twitce now) you are treating your assumption as a fact.

And guess what? The OP herself has been attempting to pin this whole thing on a leak from Linden Lab's servers, no other explanation will suffice for her. Apparently you have not been paying attention to the thread.

Putting this bluntly, the 'evidence' does not point to a leak of any addresses from Linden Lab as the cause of the OP's issue. No one outside of the .de domain was sent a phishing attempt on existing or prospective PayPal accounts.

Now, if all you are going to do is restate meaningless information - don't bother responding back.

[Phil Deakins]

It's no good bleating about it when someone reads what you write, and it reads in such a way that it could mean something different to what you meant - OR it could be that you did mean it in the way that it read. We still don't know because you haven't chosen to enlighten us. It's you who is writing the stuff. I'm only questioning what you mean. Contrary to what you said, I haven't treated anything as fact. In fact I've used words like "it seems like", which I'm sure you understand. And in the post of mine that you quoted I actually replied in both ways - (1) where what you wrote meant one thing, and (2) where what you wrote meant the other thing.

You should thank me for covering the bases, and you should look at what you write to see if you can better explain what you mean. As it is, we still don't what you meant because you've chosen not to explain it. 

To the best of my knowledge, having read every post in this thread, the OP has not blamed LL for the leak. What she's done is say that the leak is on the LL end of things (that end includes LL, of course, but isn't limited to LL) - and I also say that. The evidence that we have makes it obvious to anyone who actually wants to take the evidence into account.

 

---

Solar Legion wrote:

Now, if all you are going to do is restate meaningless information - don't bother responding back.

---

I don't have any choice but to repeat what's already been said because it does appear that someone hasn't yet managed to grasp it

I hope that helps

[Solar Legion]

---

Wolfspirit Magic wrote:

That is one thing a professional Attacker might hope for: People that don't think of a data leak cause they did not get a message and don't think it's logical to not target everyone at once.

Why is it so hard to believe that someone might not attack everyone at once?

Still nobody says, that germany is the only target. As the mail was in german the current wave looks like german only. The attacker might go and write a new mail in another language for another country soon.

There are many points a region based target is better for the attacker then attacking everyone at once:

- Localized Mail targets more people of that country then a default english mail.

- There might be a much lesser "Be careful there is phishing going on" warning inside the community. And mostly only within that region (germany for example). Once that has sattled down the next wave in another country mostly comes without a warning.

- The servers the attacker is using might not be able to handle so much traffic to target everyone.

- The company the data was leaked from (in this case possibly LL) might not assume a data leak, as the requests only comes from part of the sl community and in this case many germans don't speak english so they don't go and contact LL, but just delete the mail.

 

As I said before the mails were not linked to paypal and got a paypal phishing attempt anyways. They were used only for Secondlife. I don't really understand your point with "

One's e-mail address need not be linked to an existing PayPal account".

---

Your entire asumption is based on the idea that the professional attacked Linden Lab's servers, lifted the e-mail addresses and proceeded to send out a phishing attempt for a wholly different service.

A professional would have done their homework and discovered that Linden Lab takes payments from more sources than just PayPal and planned accordingly. PayPal accounts - current/prospective - were the target, not Second Life accounts, not Second Life addresses .... current and prospective PayPal accounts.

The fact that the phishing attempt was so sloppy is an indication that this was not a professional making this attempt. A professional would only have targeted active PayPal accounts and verified that the e-mail address they were sending the phishing attempt to was actually linked to an existing account.

I find it amusing that you mention localized mail as opposed to a generic, english phishing attempt and utterly ignore the fact that not once was a generic form letter of any kind mentioned in any of my posts. I said that someone holding addresses leaked from Linden Lab's servers would not have simply targeted a single region. If you honestly think that a professional would not have a means to send out multiple cersions of their phishing attempt at the same time .... you are very naive.

Now to wrap this up for you: In the entire time I have had a Second Life account, I have watched as threads similar to this one have come and go - often without commenting on them. There have been phishing attempt e-mails sent out to countries/regions just about the world over (going by the threads) and not once have I ever gotten a single attempt, even when such an e-mail was reported from my own country. Sorry Wolf, it's just not likely to have gone the way you or the OP believe it to have gone.

Especially when you factor in the many nodes your transmitted information has to travel along, just to get to its destination. Any one of them could have been the source of the leak and in fact, that is the most likely explanation. Your transmitted information (including all e-mail) does not get sent directly from your computer to the destination computer. It has to travel through several other systems first.

Next time, instead of blaming the provider of a service which you can walk away from at any time for a security leak (resulting in being sent anything from a phishing attempt to malware), take a good, long look at the way the internet itself operates. You attempted to narrow the leak down to three companies: Linden Lab, Google and your ISP. I was nice and went along with that (very incorrect) assumption. Now I am not being so nice. Narrowing it like that was the marker of someone who actually believes in absolute security.

In any event, I have spent far too much time replying to this thread. Suffice it to say that I see this playing out just as it has in the past: The leak came from somewhere else and the person sending the phishing attempts is an amateur or a poorly constructed bot net.

[HoppytheWanderer]

I can think of a few things to try to correlate, to see if those might be related:

1. Do you have 'Auto Play Media' turned on? Turn it off. It's probably the worst security nightmare out there I can see. I've run into sim where there are objects "streaming" things like seo sites, and none will be the wiser if you don't look at currently playing media. I have no idea how secure the internal web browser is but I don't have high confidence in it.

2. Do you do any kind of object scripting that could expose your email address? Doesn't sound likely, or you'd have found it by now I'm betting

3. Are you hitting the same marketplace vendors with each alt? I've gotten spam from certain vendors before and while they didn't directly get my email, I wonder if there's a clever way they could use your usernmae info to get an email to you with the spam in it.

4. An related to #1, are the other people you know going to the same sim? Start checking the scripted objects in the area.

[Solar Legion]

Go back and reread the thread from start to finish Phil. You'll find that your restated information is something that I quite grasp.

 

Off with you, I have no time for your games.

 

If/when you have any real evidence to back up the OP (which you have been trying to do since your first post in this thread), feel free to respond. Until then, don't waste my time any further with your meaningless and trivial responses.

[Phil Deakins]

---

Solar Legion wrote:

---

Wolfspirit Magic wrote:

That is one thing a professional Attacker might hope for: People that don't think of a data leak cause they did not get a message and don't think it's logical to not target everyone at once.

Why is it so hard to believe that someone might not attack everyone at once?

Still nobody says, that germany is the only target. As the mail was in german the current wave looks like german only. The attacker might go and write a new mail in another language for another country soon.

There are many points a region based target is better for the attacker then attacking everyone at once:

- Localized Mail targets more people of that country then a default english mail.

- There might be a much lesser "Be careful there is phishing going on" warning inside the community. And mostly only within that region (germany for example). Once that has sattled down the next wave in another country mostly comes without a warning.

- The servers the attacker is using might not be able to handle so much traffic to target everyone.

- The company the data was leaked from (in this case possibly LL) might not assume a data leak, as the requests only comes from part of the sl community and in this case many germans don't speak english so they don't go and contact LL, but just delete the mail.

 

As I said before the mails were not linked to paypal and got a paypal phishing attempt anyways. They were used only for Secondlife. I don't really understand your point with "

One's e-mail address need not be linked to an existing PayPal account".

---

Your entire asumption is based on the idea that the professional attacked Linden Lab's servers

, lifted the e-mail addresses 

and proceeded to send out a phishing attempt for a wholly different service.

---

I don't need to read the rest of your long post because it fails right at the start - the bit I've quoted.

I'm not attempting to speak for Wolfspirit but I can say that nobody in this thread, including Wolfspirit, has stated that the addresses were acquired from LL's server. They may have been, of course, but nobody has stated that they were.

Now, anyone who cares think about it, even for a moment, will realise that, to phish for PayPal login details, it is a good idea to acquire email addresses from systems that are known to be 'related' to PayPal. SL is one such system in that it is known that many of its users use PayPal for transferring money to and from SL That makes SL a good place to acquire email addresses when phishing for PayPal details. I would have thought that was obvious.

[Phil Deakins]

---

Solar Legion wrote:

Go back and reread the thread from start to finish Phil. You'll find that your restated information is something that I quite grasp.

 

Off with you, I have no time for your games.

 

If/when you have any real evidence to back up the OP (which you have been trying to do since your first post in this thread), feel free to respond. Until then, don't waste my time any further with your meaningless and trivial responses

.

---

Aha. So you've grasped the evidence in this thread, but you still reject the idea that the addresses were acquired from LL's end of things. Alright. It doesn't make any sense at all, but alright.

I don't have any evidence whatsoever to contribute. As I've always said, my view is based solely on the compelling evidence that others have presented in this thread. What's yours based on?

[Nicolette Lefevre]

---

HoppytheWanderer wrote:

I can think of a few things to try to correlate, to see if those might be related:

1. Do you have 'Auto Play Media' turned on? Turn it off. It's probably the worst security nightmare out there I can see. I've run into sim where there are objects "streaming" things like seo sites, and none will be the wiser if you don't look at currently playing media. I have no idea how secure the internal web browser is but I don't have high confidence in it.

2. Do you do any kind of object scripting that could expose your email address? Doesn't sound likely, or you'd have found it by now I'm betting

3. Are you hitting the same marketplace vendors with each alt? I've gotten spam from certain vendors before and while they didn't directly get my email, I wonder if there's a clever way they could use your usernmae info to get an email to you with the spam in it.

4. An related to #1, are the other people you know going to the same sim? Start checking the scripted objects in the area.

---

Auto-Play Media is turned off. I agree with your opinion that it is a security nightmare. That's also why I have the internal browser disabled. I have the viewer configured to use Firefox. And that one has the NoScript plugin installed, so only sites approved by me get to run any Javascript or plugins like Flash in Firefox.

Also, no object scripting that could expose my email-address either.

And while I have a few favorite vendors from whom I bought stuff with several of my alts, I don't think that there is one that all the alts have bought from. Some of the alts haven't been used in a looooooong time. Probably half of them haven't agreed to the latest TOS yet.

I haven't been using SL a lot lately. I shut down most of my operations a few months ago. I've been only logging in about once every 2 weeks since then.

[Griffin Ceawlin]

Phil, where have you seen any actual evidence? Headers are evidence. Haven't seen a one, not even redacted. People flapping their jaws are just that.

[Nicolette Lefevre]

Mail headers can only give you an (unreliable) indication from where the emails were sent. They do NOT give you an idea on how the email-addresses were acquired. And the latter part is the one that worries me.

All 8 emails that I received appear to be originating from the same server. The WHOIS information on that IP is kinda weird. The IP-block appears to be registered to a company in Iceland, but the technical/abuse contact is listed as a person in Croatia.

Even if the WHOIS information is correct, there is nothing to suggest that the legal owner of that server is actually responsible for this. Only a very, VERY stupid phisher would send emails from a server that can be traced back to him. In all likelyhood that server was hacked and then used to send out the emails.

The emails were not sent directly from that server, but used various web-mailers as an intermediate step. Either using hacked accounts on those servers or accounts that were registered by the phisher himself for the sole purpose of sending out the emails from there. I saw emails from att.net, gmx.de, gmx.at, me.com, online.de and libero.it.

To me this looks like a well-prepared attack. Unlike most phishing emails, the German text was almost flawless. That is VERY unusual for phishing emails. Even if a phisher wants to ultimately target all countries he would be wise to start a test in one country first. See what works and what doesn't and then move on to the next target-area. That way you can improve your attack while working through your pile of email-addresses.

Targeting only one country may also be a problem of capacity. Sending out a huge volume of emails is technically difficult. Especially if your aim is to get it past as many spam-filters as possible. If you send too fast, you will trigger alarm bells all over the place.

[Madeline Blackbart]

---

HoppytheWanderer wrote:

I can think of a few things to try to correlate, to see if those might be related:

1. Do you have 'Auto Play Media' turned on? Turn it off. It's probably the worst security nightmare out there I can see. I've run into sim where there are objects "streaming" things like

seo sites

, and none will be the wiser if you don't look at currently playing media. I have no idea how secure the internal web browser is but I don't have high confidence in it.

2. Do you do any kind of object scripting that could expose your email address? Doesn't sound likely, or you'd have found it by now I'm betting

3. Are you hitting the same marketplace vendors with each alt? I've gotten spam from certain vendors before and while they didn't directly get my email, I wonder if there's a clever way they could use your usernmae info to get an email to you with the spam in it.

4. An related to #1, are the other people you know going to the same sim? Start checking the scripted objects in the area.

---

Question? What exactly is an "seo" site? A site that sells search engine optimization? SEO is someting you do to a site to make it appear higher int he listings in google,bing,yahoo,etc is it not? Is Search Engine Optimization not what SEO stands for? and unless there's some kind of secret hacker term I dont know (I admit it's possible I'mnot hacker) how does optmizing your search engine placement cause harm to the person this site is being streamed to? I mean I personally use the auto streaming features but I can see how it migth be used to stream say a site with a virus download but realisitically any time you go on the web you expose yourself to this. Even legit sites could have there ad banners hacked and replaced with ones that transmit malware and viruses. Infact that has been reported to  have happened in the past. IMO there's safe and then there's paranoid.

 

EDIT: Also is there an LSL function that can get your email? because from what I've seen from looking it up llEmail and related functions you have to give it your email and then it send an email to that adress when touched? Even if you used this function it doesn't seem like it would say email in chat so they'd have to read the code? Even if it did say it in chat it would be hard to find since there's like millions of channels thus why finding the channel Phatazz and Lolas tangos sends there info on is difficult. Wouldn't making it no mod fix that? I don't know how to write in LSL so I could be wrong here of course I'm only going by what i googled as far as how those functions work. I think finding someones email is difficult in SL and the web in general unless they give it to you/it's obvious/you bought a list with it on there/some other means that doesn't involve writing code to find it. lol Of course again I'm not a hacker so I don't know perhaps there is other ways.

[Solar Legion]

Sorry Phil - once again, you are quite wrong. The OP has stated again and again that there is no other place the leak could have come from.

 

The rest of your response is a false assumption: Second Life is a niche bit of software and has been for several years now.

 

Enough is enough Phil - use facts or do not respond at all. I am quite tired of your crap.

[Solar Legion]

No Phil, I reject that what has been presented is any form of "evidence".

 

Either present real evidence or cease responding to me. I have stated in my prior response to you: I'm tired of your crap. Either you have solid evidence to back up your assertion (and the opinion-treated-as-fact statement of the OP) or you do not and thus have no reason to respond to me other than to annoy me.

[Phil Deakins]

---

Griffin Ceawlin wrote:

Phil, where have you seen any actual evidence? Headers are evidence. Haven't seen a one, not even redacted. People flapping their jaws are just that.

---

Lots of things are evidence, Griffin, including eye-witness testimony, which is what we have in this thread. Eye-witness testimony is treated as real evidence in courts, and the eye-witness testimony that we have in this thread is much better than what they have in courts because it's static and can be seen again at any time, whereas eye-witness evidence in courts is of the type that is gone after it's been seen. You have to acknowledge such eye-witness testimony and accept it as evidence, whether you agree with the conclusions or not.

Those who discount it in this thread are free to do so, of course, but it's only based on imagination because they haven't offered any evidence to counter it. I prefer eye-witness testimony as evidence.

Headers and such tell nothing about where the addresses were acquired from, and this thread is only about where the addresses were acquired from. Tracing the emails' routes is pointless to this discussion. That's where Freya was getting it wrong. She was majoring on headers etc. (tracing the emails) but it was never about where they came from. It was only ever about where the addresses were acquired from. To be fair though, Freya was also interested in what might be at the OP's end, and what the OP might have done on the internet, that might have caused those addresses to be compromised.

[Phil Deakins]

---

Madeline Blackbart wrote:

Question? What exactly is an "seo" site? A site that sells search engine optimization? SEO is someting you do to a site to make it appear higher int he listings in google,bing,yahoo,etc is it not?

---

Yes and no. I was an SEO until not long ago and I'm not the only one who uses the upper case version (SEO) to denote the search engine optimiser (noun), and the lower case version (seo) for the activity - search engine optimisation. But it's not a rule as such, so seo and SEO can be used for both the noun and the activity.. Either version can be used in the phrase "an seo site".

ETA: I forgot to answer your question. Yes, an seo site is a site that is about search engine optimisation, which could the offering of seo services or just information about seo. Usually, it offers seo services.

[Phil Deakins]

---

Solar Legion wrote:

Sorry Phil - once again, you are quite wrong. The OP has stated again and again that there is no other place the leak could have come from.

 

The rest of your response is a false assumption: Second Life is a niche bit of software and has been for several years now.

 

Enough is enough Phil - use facts or do not respond at all. I am quite tired of your crap.

---

If you are so tired of my posts, either ignore them or don't reply to them. This isn't your thread and you don't have a say in who can and cannot contribute to it. I'll continue to post in the thread as long as I have something worthwhile to say. The fact that you personally don't find my contributions worthwhile is totally irrelevant. It's unfortunate that some of my posts are to correct you but you keep writing things that have to be responded to. I don't like it, but it's what you've been doing.

If you have anything to contribute to the discussion, please state it. You haven't added anything yet. All you've done is use your imagination to put it across that the source wasn't at LL's end. But you have absolutely no idea about that. Of course, if you accepted the evidence before your eyes you might get an inkling of it, but you seem reluctant to accept anything that anyone says if it doesn't suit your personal preference.

Now - if you really believe that the OP has stated that the source is LL's server, then please quote it from her posts. If you can do, then I'll concede that the OP has said that the source is LL's server. In the meantime, I'm not prepared to take your word for it, and I'll continue to believe that she hasn't said any such thing. She's pointed at LL's end for the source, as do I. LL's end means the systems around LL's use of the emails, which does include their own server, of course.

I'm sorry that I keep on refuting what you write, but you don't write anything that adds to the discussion. All you write are words to the effect of "The leak isn't at LL's end" or "The leak isn't at LL's server" (which nobody said it was), without any evidence at all to support the idea, so it does need to be refuted.

[Phil Deakins]

---

Solar Legion wrote:

No Phil, I reject that what has been presented is any form of "evidence".

 

Either present real evidence or cease responding to me.

I have stated in my prior response to you: I'm tired of your crap.

Either you have solid evidence to back up your assertion (and the opinion-treated-as-fact statement of the OP) or you do not and thus have no reason to respond to me other than to annoy me.

---

And I've just written that, if you are so tired of what I write, either ignore it or don't respond to it. You DO have a choice, y'know I don't care that you're tired of my posts. I don't make you tired of them. You do - by reading and replying to them. You are not my responsibility.

There you go again - rejecting something out of hand. Who cares what you reject? It's not relevant to this discussion UNLESS you can provide evidence as to why it should be rejected. "I reject" is not a reasoned point and it doesn't even suggest why it should be rejected. You haven't made any attempt at doing that so far. All you've presented to us is that you reject some things out of hand, without any attempt to explain why. That's just not good enough, I'm afraid.

Now, as I explained to someone else a few posts above this one, eye-witness testimony IS evidence, and that's what we have in this thread. But you've probably read that by now so I don't need to expand on it.

[Solar Legion]

Start here:

"Today I have received emails with PayPal phishing-attempts to several email adresses that I have ONLY used for Second Life. So far 5 email adresses (one for every Alt) have been affected.

All phishing emails tried (unsuccessfully!) to lure me to a subdomain of gff23.com to "update my PayPal information". The subdomain differs between emails. The emails have been in German, but my location can easily be deduced from the domain-name of my email ending in ".de".

I want to point out again that these email-adresses were NEVER used for anything else but SL. These emails were NEVER used for PayPal. They were only used for registering the various SL accounts.

SL: You have a serious data-leak here!

I had a similar problem about 2 years ago if I remember the timeframe correctly. Back then also only emails used for SL were affected. But back then it wasn't PayPal-phishing, just general spam-mails, in most cases for some casino or other.

Do not even try to suggest that I myself am responsible for the leak of these email-adresses. My computers are secure. I have been an IT-professional for 20+ years. I host the mail-server myself. And NONE of my other email-adresses are affected by this. Only email-adresses used for SL. And the ones affected were never used for anything but SL."

On page one and do not stop until you have reread the entire thread.

Do not respond to me further - I have every right to tell you to cease responding to me, in this thread. Respond to whomever else you feel like responding to. Leave me alone, do not mention me, do not reference me ... I want nothing more to do with you until you have something of actual substance to add. Such as real evidence, not "eye wittness" reports of nothing more than a phishing attempt.

[Phil Deakins]

---

Solar Legion wrote:

Read the frakking original post you nit.

---

I did, and the only statement in it is this:-

SL: You have a serious data-leak here!

I agree with her. You can assume that she meant on LL's server itself, rather than the systems around LL's end where they use the addresses (e.g. a bulk emailing service,.for instance. They do bulk emails, y'know), but that's just your assumption.

So do you have any more attempts at the OP stating that the source is LL's own server? Your first attempt failed. Perhaps you'd like to try again.

And please stop being so rude. I'm not being rude to you and there is no need for it

 

ETA: I see you've removed the content of your post and replaced it with a large one. The above reply is to the original post. I'll read the replacement now

 

[Phil Deakins]

---

Solar Legion wrote:

Start here:

"Today I have received emails with PayPal phishing-attempts to several email adresses that I have ONLY used for Second Life. So far 5 email adresses (one for every Alt) have been affected.

Nothing so far.

All phishing emails tried (unsuccessfully!) to lure me to a subdomain of gff23.com to "update my PayPal information". The subdomain differs between emails. The emails have been in German, but my location can easily be deduced from the domain-name of my email ending in ".de".

Nothing yet.

I want to point out again that these email-adresses were NEVER used for anything else but SL. These emails were NEVER used for PayPal. They were only used for registering the various SL accounts.

Still nothing.

SL: You have a serious data-leak here!

Aha! That's something, but I already talked about that in my previous post, so I won't repeat it here.

I had a similar problem about 2 years ago if I remember the timeframe correctly. Back then also only emails used for SL were affected. But back then it wasn't PayPal-phishing, just general spam-mails, in most cases for some casino or other.

Nothing.

Do not even try to suggest that I myself am responsible for the leak of these email-adresses. My computers are secure. I have been an IT-professional for 20+ years. I host the mail-server myself. And NONE of my other email-adresses are affected by this. Only email-adresses used for SL. And the ones affected were never used for anything but SL."

Nothing

 

On page one and do not stop until you have reread the entire thread.

I have no intention of re-reading the entire thread. My memory is good enough for me. As I said, if there are instances where the OP said the source is LL's server, please quote them. Otherwise she never said it.

Do not respond to me further - I have every right to tell you to cease responding to 

me

, in this thread. Respond to whomever else you feel like responding to. Leave 

me

alone, do not mention me, do not reference me ... I want nothing more to do with you until you have something of actual substance to add. Such as real evidence, not "eye wittness" reports of nothing more than a phishing attempt.

---

I'll stop responding to you when you give me nothing to respond to. Don't you think it's a bit silly writing to someone and then telling them not to reply, especially when you are making a failed attempt at showing them they were wrong?

And, of course, you know as well as I do that you have no right at all to tell me to stop responding to you. What sort of daft idea is that? How about this then... Since you believe that you have a right to tell me not to respond to you, you have to agree that I also have the same right. So... stop responding to me, Solar.

[Freya Mokusei]

So how's THIS going?

Only one point I'm here to mention, RE:

---

Phil Deakins wrote:

Headers and such tell nothing about where the addresses were acquired from, and this thread is only about where the addresses were acquired from. Tracing the emails' routes is pointless to this discussion. That's where Freya was getting it wrong. She was majoring on headers etc. (tracing the emails) but it was never about where they came from.

---

Actually, it wasn't about tracing the origin server, because of course this is often simply a compromised or open SMTP relay, or - in the case of the OP - a domain registered the same day that the attack took place. Header information is useful to ensure that people commenting in this thread were part of the same attack. There are many/multiple PayPal phishing scams flying around the Internet at any one time (as I'm sure you know, Phil, I'm just expanding in case my reasonning missed you) and having random users comment saying "Hey look, I got an Email that says PayPal in it!" doesn't actually narrow anything down. One user pointed out that their phishing email's destination URI matched the OP's, so that's (probably) two.

You can't really find out where the common link is until you can rule out those who weren't a part of this attack. Not much point chasing tails until you can tell that you're all lookin' at the same animal. Obvious, no?

ETA: I'm not getting back into this, just correcting mis-attributed intentions.

[Phil Deakins]

To be honest, Freya, the discussion with you is so far in the past now (so much has been written between then and now) that I don't remember the details. I only remember the general area you wanted examined before looking towards LL's end for a leak.

We weren't getting any of the information you asked for so we only have what we have, and what e have does appear to point towards LL's end of things, imo. Not necessarily LL's own database but that can't be ruled out.

I have naturally assumed that those who posted as having received the email, received it from the same phishing attempt, but, to my way of thinking, the OP's experience alone points towards a leak at LL's end. That's assuming that she hasn't overlooked something, of course, but she does sound very confident about what she says, and I accept it.

One thing did occur to me yesterday, which I included in a post. LL sends out bulk emails. I wonder if they do it themselves or if they pay an outside party to do it. If it's done by an outside party, then that's one very big possibility for a leak at LL's end that doesn't involve LL's own servers.

I haven't discounted anything or anywhere as being the source of the leak, and I haven't discounted that there may not have been a leak. I've said all along that, judging only by what it in this thread, there was a leak somewhere,  and it does appear to have been at LL's end of things.

[Nicolette Lefevre]

Last time I received one of these bulk emails from LL, it was about the Valentine's Gift. That one was sent using Amazon Simple Email Service (Amazon SES).

One of the email-addresses on which I received the phishing-attack, didn't yet exist back then. I created that email-address about two weeks after the Valentine's Gift emails were sent by LL.

[Phil Deakins]

So LL does outsource its bulk mailings. I wonder what other outside entities they've given the addresses to.

 

[Freya Mokusei]

AWS/SES isn't too far outside of LL's sphere, manymanymany SL services are based on or routed through Amazon's servers.

Speculative: In terms of the 'leak' you're probably at a dead-end. If Amazon were compromising end-customer info, the outcry would be considerably bigger than if LL were. Amazon have been suckered in the past of course, but not by anything this simple.

Hadn't realised you were defining "At LL's end" as "Anything that isn't at the destination end". Bit of a wide net there, note that most other participants in this thread seem to have been using the definition "within LL's control/responsibility" - you may want to make sure you're on the same page.