Jump to content
Sign in to follow this  
Nicolette Lefevre

Client-Data leaks from LL !!!

Recommended Posts

 


Nicolette Lefevre wrote:

Tomorrow I will check my PC in the office as well (today is a holiday here), but I have every confidence that that machine will be fine too


Yep. Just as I exptected my office computer checked out fine too. No malware of any kind.

Driving back home now. I have a RL pool waiting for me :-)

Share this post


Link to post
Share on other sites

If everything else reported in this thread is true, it doesn't actually add much (any?) information to know that your machines are clean of known threats that scanning software would be able to find.  [EDIT: Not quite true; see below.]   If it were anything like that, there'd be a lot more people complaining about it by now, especially because the OS in this case is Windows.  As far as I can see, the only plausible spyware hypothesis would be that of a threat not yet identified in public.

In contrast to thousands of folks getting big red flags from anti-spyware tools were it a known threat, I don't know how many people would be aware of the spam itself.  I certainly would never know: gmail is far too good at screening spam, and I almost never check on what is drifting through that folder any more. 

The point is that lots of folks may be getting the spam without knowing and reporting it, and that means we can't really tell if it's only Windows users (which would indicate some new threat resident on those users' machines) or Mac and Linux users too (which would pretty conclusively demonstrate a breach at Dragonfish).

[EDIT: I guess, had we not known the negative scan results, it would have been possible (if extremely unlikely) that there were stock keyloggers on both the OP's machines and that of the other person who used a friend's credit card.  So, yeah, there's some information gained by those scans.]

Share this post


Link to post
Share on other sites

Qie Niangao wrote:

In contrast to thousands of folks getting big red flags from anti-spyware tools were it a known threat, I don't know how many people would be aware of the spam itself.  I certainly would never know: gmail is far too good at screening spam, and I almost never check on what is drifting through that folder any more.

The point is that lots of folks may be getting the spam without knowing and reporting it, and that means we can't really tell if it's only Windows users (which would indicate some new threat resident on those users' machines) or Mac and Linux users too (which would pretty conclusively demonstrate a breach at Dragonfish).


I do email only on my Mac and on my iPad. I login to the SL-website both with my Mac and PC (Firefox 4 + Noscript in both cases). Inworld-activity is about 99% on the PC, 1% on the Mac.

I'm sure that only a VERY small percentage of people are noticing the spam AND can make the connection between the spam and their SL-account. While I don't have any hard numbers I would guess that most people do NOT have a separate email-address for every account they create somewhere. Without that they have basically no way to make the connection between the spam and SL. And most spam-filters will catch the spam anyway like you said. A spam-filter not catching spam for an online-casino isn't worth to be called "spam-filter" :-)

Also the spam-mails seem to be limited to european SL-users.

All in all this pretty much narrows down the number of people who are actually able to realize what is happening.

There may also be people who received the spam, were able to see the connection between it and their SL email-address, but have not posted here simply because they think it's not worth the effort. Or may not even know about the forums. Only a small percentage of SL-users ever post in the forums.

I concede the point that there is no abolute proof that the data leaked from SL or their payment-processor, but based on all the data I can see, I consider it to be VERY likely.

Share this post


Link to post
Share on other sites

Don't jump to conclusion too fast, Void. I am perfectly aware that letting images display in an email is a way to track the existance of an email account. Anyone using MS Outlook is familiar with the warning the program gives when opening an email with embedded images. Outlook requires a confirmation from the user when an email has images when coming from an untrusted source, so there are ways to open an email without loading the images in it. In this specific case it was a deliberate choice after taking some countermeasures.

As for the WHOIS info being sold or the registrar being insecure, I have had a number of domains registered under the same registrar for 12 years. Contact information is protected and several checks I have periodically done with WHOIS shows that no contact information is revealed. Even if that info was leaked or sold, it would have no relation with the domain I use with SL as those contact emails are under a different domain. Because of all I do to protect my accounts, the amount of spam I receive is very small. When it happens it's usually addressed to an email alias I have used to register to a web site, so it's easy for me to block the compromised address.

Incidentally, I rarely use the account receiving spam to send email, as I prefer to send IMs inworld or other communication tools. That account is there mainly to receive email. In the rare event that I send an email through that account, I merely select it in Outlook from the list of accounts I have, so a key logger is out of question.

I suppose the comment about MS Essentials is not addressed to me as I have never mentioned that program. However, for the record, I regurarly scan my computers and use 3 different security programs.

I have no certainty that there was a leak and I have no reason to believe LL has leaked data. If data was leaked I am more inclined to think that the outsourced payment provider LL relies on may be at fault. There are a number of reasons to think that something has happened. My intent is to provide information that may help to understand what happened, not to point finger at LL.

Share this post


Link to post
Share on other sites

There has been a new post in the blog Head Shakers From A Metaverse about all this and there are some points in that post that I want to comment on. I'm doing it here instead of in the blog because I would like to keep all the information in one place.

 

     "If an email address is used for Second Life only, the last time it was probably entered anywhere was when the email account on the Second Life website was updated – assuming people pull their emails down to an email client or it will be used to log into the mail provider if accessed via the web. Although, web access does increase the chance that spyware could capture it."

It is correct that I have entered my SL email-address only once on account-creation. I use the standard email-client on Mac OS and on my iPad to access my email. The email-address (well, 3 actually) in question isn't an actual email-account, but an email-alias. That means I can receive email on that address, but not send from it. Incoming email gets "forwarded" to a real account.

But of course the incoming emails sit in my Inbox with that SL-only address in the "To:" field of the email. So in theory if some spyware were to access my email-data it could see that email-address. I do get a lot of emails to the address used for SL, but I do get even more emails to my other addresses. So if a spyware were to collect addresses from my Inbox, then it is reasonable to assume that addresses which have NOT been used for SL would be affected too. But they are not.

Only 3 addresses used for SL have received the spam-mails. And 2 of those 3 have never been used for anything but SL. The other one dates back to a time before I started to use a separate email-address for every account I create somewhere.

 

     "Those who have identified the spam emails claim their machines are spyware free.  Although none have yet said if they run scheduled checks and if they’ve reviewed the logs down the last few months to see if anything has been picked up."

On my Windows machine Microsoft Security Essentials is running, checking opened applications and files all the time and running regular scans of the entire machine. It has never found anything. I don't bother doing any checking on my Mac. I ran the full scan on the Mac with Bitdefender on thursday just to have a clear argument that spyware is not the cause of this.

 

     "As Linden Lab are so publicly committed to protecting our data, I would have expected them to contact those who are currently claiming that spyware is not the cause of this to ask them for the emails, to check their logs to see if any spyware has been removed in the last few months and to ask them where they use the email addresses in question."

I have in fact been contacted by JP Linden on wednesday, asking me to send him a copy of the spam-mail which I did. He also asked me to forward anyone to him who has the same problem. I was contacted via IM by someone else later that day and did give her JP's name. As far as I am aware she did send him an IM.

 

    "Given another week this will have passed from most memories and this will have been just another blip on the horizon."

Won't happen. Because i will not LET it happen. I will of course give LL a bit more time to get to the bottom of this as I am aware that it won't be easy for them to figure out. But if/when I get the impression that enough time has passed for them, then I will take this up a notch and contact some local computer magazines. They have done articles about the RL-me in the past, so they'll know that I'm not someone to make these accusations lightly. I'm sure they'll pick up this story. Privacy is a BIG topic here in Germany. These are some of the biggest computer magazines in Germany and them covering this story will be BAD news for LL.

Also I think a post on Slashdot may also get some coverage. Not sure about that though as I have never tried to get a story on Slashdot before. Could just as well be that this just isn't big enough for them.

Share this post


Link to post
Share on other sites

Oh, one more thing that I forgot to mention...

Of my 3 affected accounts 2 are pretty old. I entered the credit-card data there a looong time ago. Meaning 2+ years ago. Only for the 3rd affected account do I remember seeing the local payments options. So despite the fact that I used my credit-card on all 3 accounts during the last 6 months (and also on another account to whose email-address I did NOT get any spam-mails), at least for the 2 older accounts I'm not sure if these payments were actually handled by Dragonfish or maybe by some older system.

 

Share this post


Link to post
Share on other sites

I just came across this:
http://www.sys-con.com/node/1878888

Excerpt: "Scientists from the Darmstadt Research Center for Advanced Security (CASED) have discovered major security vulnerabilities in numerous virtual machines published by customers of Amazon’s cloud. From 1100 public Amazon Machine Images (AMIs), that are used to provide cloud services, about 30 percent are vulnerable, allowing attackers to manipulate or compromise web services or virtual infrastructures."

Given that LL uses AWS a lot that may be an explanation on how data could leak.


Share this post


Link to post
Share on other sites

Upon checking my email account for the Admiral Lyon, ( which is my primary email account) I found approx 20 email notificatoins that the emaill was not delivered and it originated from with in second life, access my account and started to spam my contacts and then when i sent a email to my sl partner it accessed  his contacts list an sent all of them spam from me. i did a little reaserch and  belive it must have happened when an individual i do not know, sent me an im text inside second life telling me he was going to send me an ugly sex statue, ( which one must now belive is the image of this individuals katra), what he sent me was an link to a site that i now believe is bogus and uses the Roddenberry name and eludes to star trek with some bogus story they place there on front page. i was compelled to join the web site just in case they have a buyer for that horrid statue iwant to be notified, however , that is how i believe they access my emai account. when i finish this email i am going inworld to advise Anthony Haslage of this occurance and i will also contact the Roddenberrys via email. They probably want to halt this hackers fraud immeadiately and will likely take legal action( the url will redirect to a website called Roddenberry,and it touts a carved wooden statue that can be procured by someone for $499.00 USD., note this statue is not real is virtual as well, and they are blatantly using the Roddenberry name in the web site. this guy is in trouble. thanks for letting me vent .II have summarized my theory below incase i am difficult to understand in my usual peculiar way of wording things thus to avoid being misunderstood. thank you. Bastet Lyon UFGQ/UVN/IFT/ UFPSL/ (those are a few of the trek groups im in volved in and that maybe effected by these whack hacks.)

  What appears to me to be happening is:

      someone gains access to our emails by following a email thread they set up by sending a bogus website URL and then when you sign up for the website they get into your email and start spamming your friends and your friends friends I have postulated that these hackers are studying and utilizing the members lists of well trek style groups and knowing that   the Roddenberrys are trusted well respected and that people wont hesitate to join any site that is owned operated or endorsed by Rod Roddenberry ( the son of Gene Roddenberry).  I am so sure this happened when an unkown operative sent me a url leading me to the site which has Roddenberry and has names of the key charators all o9ver their context even a  paranoid vulcan such as myself was deceived. at this point i am morally  obliged to notify The IFT team here in sl and send an email to Rod Roddenberry advising him of this activity under his name and utilizing official rodden berry  Groups in Second Life to gain access to victims, that is the logical choice then sit back  and see who gets the culprits first  private dicks or the lindens. Bastet Lyon  UFGQ/UVN the logical choices

Share this post


Link to post
Share on other sites

The Green Dot card sold as a Wal Mart Money card works.   I have used one for 3 years now.  It is a prepay card.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...