Nicolette Lefevre

Solar Legion wrote: Sorry Nicolette - you're wrong and I won't be discussing this with you at all. You gave Linden Lab your e-mail address and it is up to them to secure it on THEIR server systems. Their responsibility ENDS there. From there, it is the responsibility of whoever owns the systems that address passes through to secure THEIR systems. Sorry, that's the way it is. No Solar, I'm right. It is definitely LL's responsibility. If you do something yourself you have 100% control and 100% of the responsibility. The thing that a lot of people (including you) don't get, is that if you outsource something, you will always lose at least part of the control, but you still keep 100% of the responsibility. You can NOT outsource responsibility. If you outsource something to someone who then makes an error, then it was your fault for outsourcing to the wrong company.

Solar Legion wrote: Again, here we're going to have to agree to disagree. The systems at LL's end of things are the systems they themselves own and operate. That is "LL's end". Anything outside of it, including outsourced systems, exists between the user and Linden Lab. Wrong! From the moment I give LL my email-address, taking care that that info doesn't leak is LL's responsibility. If LL choses to outsource certain things and handover my information to others, then whatever happens is *still* within LL's responsibility. I didn't enter into a contract with that other company, I don't even know that other company. So whatever information I give LL, it is solely their responsibility to safeguard it. They cannot deny responsibility because they outsource certain things. If LL choses an untrustworthy company to outsource things, then I'll blame LL for that.

Last time I received one of these bulk emails from LL, it was about the Valentine's Gift. That one was sent using Amazon Simple Email Service (Amazon SES). One of the email-addresses on which I received the phishing-attack, didn't yet exist back then. I created that email-address about two weeks after the Valentine's Gift emails were sent by LL.

Mail headers can only give you an (unreliable) indication from where the emails were sent. They do NOT give you an idea on how the email-addresses were acquired. And the latter part is the one that worries me. All 8 emails that I received appear to be originating from the same server. The WHOIS information on that IP is kinda weird. The IP-block appears to be registered to a company in Iceland, but the technical/abuse contact is listed as a person in Croatia. Even if the WHOIS information is correct, there is nothing to suggest that the legal owner of that server is actually responsible for this. Only a very, VERY stupid phisher would send emails from a server that can be traced back to him. In all likelyhood that server was hacked and then used to send out the emails. The emails were not sent directly from that server, but used various web-mailers as an intermediate step. Either using hacked accounts on those servers or accounts that were registered by the phisher himself for the sole purpose of sending out the emails from there. I saw emails from att.net, gmx.de, gmx.at, me.com, online.de and libero.it. To me this looks like a well-prepared attack. Unlike most phishing emails, the German text was almost flawless. That is VERY unusual for phishing emails. Even if a phisher wants to ultimately target all countries he would be wise to start a test in one country first. See what works and what doesn't and then move on to the next target-area. That way you can improve your attack while working through your pile of email-addresses. Targeting only one country may also be a problem of capacity. Sending out a huge volume of emails is technically difficult. Especially if your aim is to get it past as many spam-filters as possible. If you send too fast, you will trigger alarm bells all over the place.

HoppytheWanderer wrote: I can think of a few things to try to correlate, to see if those might be related: 1. Do you have 'Auto Play Media' turned on? Turn it off. It's probably the worst security nightmare out there I can see. I've run into sim where there are objects "streaming" things like seo sites, and none will be the wiser if you don't look at currently playing media. I have no idea how secure the internal web browser is but I don't have high confidence in it. 2. Do you do any kind of object scripting that could expose your email address? Doesn't sound likely, or you'd have found it by now I'm betting 3. Are you hitting the same marketplace vendors with each alt? I've gotten spam from certain vendors before and while they didn't directly get my email, I wonder if there's a clever way they could use your usernmae info to get an email to you with the spam in it. 4. An related to #1, are the other people you know going to the same sim? Start checking the scripted objects in the area. Auto-Play Media is turned off. I agree with your opinion that it is a security nightmare. That's also why I have the internal browser disabled. I have the viewer configured to use Firefox. And that one has the NoScript plugin installed, so only sites approved by me get to run any Javascript or plugins like Flash in Firefox. Also, no object scripting that could expose my email-address either. And while I have a few favorite vendors from whom I bought stuff with several of my alts, I don't think that there is one that all the alts have bought from. Some of the alts haven't been used in a looooooong time. Probably half of them haven't agreed to the latest TOS yet. I haven't been using SL a lot lately. I shut down most of my operations a few months ago. I've been only logging in about once every 2 weeks since then.

I have two actual email-accounts. Let's call them "myname@myprivatedomain.de" and "myname@myworkdomain.de". All the other email-adresses forward to one of those two. And all my email-adresses are on one of these two domains. Email for both domains is hosted on the same server and handled by the same program. So all the forwarding is done internally within this program. All my SL email-adresses are forwarded to "myname@myprivatedomain.de". Among a bunch of other aliases that also land in that inbox. Only the actual two mail-accounts will ever appear as my sender-adress. So I never sent any email from the email-adresses used exclusively for SL. These are receive-only. Some of the affected email-adresses are several years old, but the newest one was created in February of this year. So the leak must have happened sometime between now and late February. I have some adresses that are somewhat public knowledge. The "webmaster@" aliases for example. But also the actual account names. My work account is frequently used as a contact-adress on press-releases. None of those received these specific phishing emails. They get some spam and phishing of course, but they didn't get that specific phishing-email. None of my about 100 aliases got that one except the 8 ones used for SL. The only realistic possibility for those 8 ones to be targeted and none of the others is that the leak happened somewhere at LL. Or maybe at some subcontractor of SL that has access to them. Which would also make it LL's responsibilty IMO. Overall the email-adresses used for SL, account for a small amount of my incoming email. Probably in the 5-10% range. And of course my mail-client has auto-fetch of external images disabled. So don't even think of this being caused by some tracking-images in incoming emails. And yes, I do absolutely rule out "user error" on my part. If that were the case, then it would be very, Very, VERY unlikely that only the SL-adresses were affected. I've said it before, statistical probability for this being just a coincidence is about 1 in 186 billion.

What do you want me to paste? Error-logs from LL's own servers that prove how they were hacked? I naturally do not have access to those. Or my own mail-server logfiles? Not gonna happen as that logfile contains private information that I'm not going to disclose. The header-lines of the emails? They also contain information that could identify me, and without that information the header-lines of the emails would be useless. And to state it yet again: I have 8 different email-adresses that I use for SL and for nothing else. All of them have received the same phishing-email. The emails differ only slightly in the link-URL (which contains the encoded email-adress) and they have several different senders. The text of the emails is the same in every single case. These 8 emails arrived over of a 4-hour timeframe yesterday. My affected email adresses each contain several random numbers that make it highly unlikely that they can be "guessed" by a brute-force attack. I'm hosting the mail-server myself, so my email-adresses can also not be found by hacking some 3rd-party email-provider. I have about 100 email-adresses in total. None of the non-SL adresses have received this phishing-email. Not a single one. The statistical chance of this being just a coincidence is about 1 in 186 billion. So for all practical purposes that rules out the possibility that my own server was hacked. Because if that were the case, not only the email adresses used for SL would be affected, but all of them. There are other reports here in this thread that people have received the same phishing-email to an email-account that they only use for SL. Now, what more do you want before you come out of denial? You are not helping at all here. So why don't you just do what you promised several times, and just leave this thread alone?

I agree about the link. I would even go a step further. Ivor, you should remove everything before the gff23.com and everything after the "?". Because quite frankly, by posting that link you actually told everyone here your email-adress. It's encoded in the link. And Freya, I see you still think that this is not SL's fault, even though every single piece of evidence is clearly pointing in that direction.

You are not just unable to see it, you are UNWILLING to see it. And that is why you try to ridicule me. Doesn't work. You are only ridiculing yourself.

I'll try again: I have received today's phishing-attack on 8 email-adresses. All of them are used only for SL. So only two parties should know these adresses. Me myself and LL. If the leak were on my side, why were the email-adresses used for SL affected and NONE of the other ones? We are talking about 8 out of about 100 adresses. If the leak were on my side, then the affected email-adresses should be random picks out of the available pool. A little skewed probably depending on how much I use the various adresses. But still close to being random. And for a random pick of 8 out of 100 we are talking about a chance of 1 in 186 billion that it is just coincidence that these specific 8 were picked. And 1:186bn is about 1000 times less likely than hitting the jackpot in a lottery. That makes the other explanation, that the leak happened at LL look MUCH more likely. As for people getting phishing-emails who are not on SL: I'm not surprised. Every phishing-attack can have multiple sources of email-adresses. And there are probably several different phishing-attacks against PayPal running at any given time. And as for how I sound: I didn't come here to offend anyone. But I also didn't come here to be offended by someone plainly denying the evidence and saying that the fault probably was my own when the evidence clearly states otherwise. I'm not actually blaming LL for what happened. They are big enough that they are a high-profile target for hackers. And that means sooner or later someone will get you. I posted here so that they'll know about this and can start looking for how it happened. Because that's the only way to make sure that it doesn't happen again.

Freya: It looks like you simply do not want to accept the facts. 1) ALL my SL-email accounts have received the phishing mail. 2) NONE of my other email-accounts have received it. I brought up my PayPal account, because that's what's being targeted. And because if someone were somehow scanning my ingoing/outgoing email for something to do with PayPal (because that's what they are targeting), then those other email-accounts would be affected as well. I HAVE investigated this. I checked my mailserver-logfiles. Nothing unusual there. Sure, the occasional attempt to send an email to a non-existing adress. But nothing even close to the amount necessary to guess email-adresses that look something like this: "nicolette926478474@somedomain.de" You would need millions of attempts to guess such an email-adress. And I would have found such a large-scale attack in my mailserver-logfiles. Plus if someone were to run such a huge attack, then why didn't they stumble on one of my other email-accounts too? I am not a noob when it comes to security. I administer webservers for more than a decade now. I take security VERY seriously. LL's payment processor has (or at least used-to have) all the SL email-adresses that are used with PayPal or credit-card payments to LL. I consider this a low-probability though. In the past your email-adress would be listed on the checkout-page of the payment-processor. Currently this is no longer the case. And one of the affected email-adresses is relatively new. So I doubt that LL's payment processor has ever seen this one. I hadn't thought about that before. That leaves LL itself as the likely origin of the leak.

If my incoming/outgoing data had been listened to, then not only SL adresses would be affected. I just checked and less than 5% of my emails are SL-related. I have also used PayPal in connection with some of the other email-adresses. Several web-hosters for example where I pay with PayPal. None of those email-adresses are affected. So if someone were to attack all my emails that have a connection to my PayPal usage, then why aren't those affected? Why are NONE of my other email-adresses affected? So far I see all but one of my SL-emails affected. And none of my other emails. To me the simplest possible explanation for this is that the email-adresses somehow leaked from SL. Edit: Now ALL my SL-emails have received the phishing email. Still NONE of my other email-accounts have received it.

I'm not saying that SL is doing these phishing-attacks. They are certainly NOT doing that. I'm saying that they should try to find out how the data leaked from them. Either from them or their payment processor. Oh... and the 100 email adresses are useful. At least now I know where the leak came from. I can change the affected adresses, disable the old ones, and will not get any phishing/spam to them in the future.

I do not use MS Exchange. I use hMailServer. The email-adresses can't just be "guessed" by some attacker. They are all in the form of "sl_user_firstnamexxxxxx@mydomain.de" where "xxxxxx" consists of several random digits. While the mail-server does respond with an error-message when trying to send to a non-existent email-adress, this would be of no help here to the phisher. Simply because if someone had guessed these email-adresses, then not only my SL email-adresses would be affected, but others too. And that is not the case. Only email-adresses used for SL are affected. And I have about 100 others. I use a seperate email-adress for every place where I have to give an email-adress. The chances that someone guessed several of my SL email-adresses, but NONE of the others are basically zero.

Today I have received emails with PayPal phishing-attempts to several email adresses that I have ONLY used for Second Life. So far 5 email adresses (one for every Alt) have been affected. All phishing emails tried (unsuccessfully!) to lure me to a subdomain of gff23.com to "update my PayPal information". The subdomain differs between emails. The emails have been in German, but my location can easily be deduced from the domain-name of my email ending in ".de". I want to point out again that these email-adresses were NEVER used for anything else but SL. These emails were NEVER used for PayPal. They were only used for registering the various SL accounts. SL: You have a serious data-leak here! I had a similar problem about 2 years ago if I remember the timeframe correctly. Back then also only emails used for SL were affected. But back then it wasn't PayPal-phishing, just general spam-mails, in most cases for some casino or other. Do not even try to suggest that I myself am responsible for the leak of these email-adresses. My computers are secure. I have been an IT-professional for 20+ years. I host the mail-server myself. And NONE of my other email-adresses are affected by this. Only email-adresses used for SL. And the ones affected were never used for anything but SL.