Jump to content

Nicolette Lefevre

Resident
  • Posts

    67
  • Joined

  • Last visited

Everything posted by Nicolette Lefevre

  1. Solar Legion wrote: Sorry Nicolette - you're wrong and I won't be discussing this with you at all. You gave Linden Lab your e-mail address and it is up to them to secure it on THEIR server systems. Their responsibility ENDS there. From there, it is the responsibility of whoever owns the systems that address passes through to secure THEIR systems. Sorry, that's the way it is. No Solar, I'm right. It is definitely LL's responsibility. If you do something yourself you have 100% control and 100% of the responsibility. The thing that a lot of people (including you) don't get, is that if you outsource something, you will always lose at least part of the control, but you still keep 100% of the responsibility. You can NOT outsource responsibility. If you outsource something to someone who then makes an error, then it was your fault for outsourcing to the wrong company.
  2. Solar Legion wrote: Again, here we're going to have to agree to disagree. The systems at LL's end of things are the systems they themselves own and operate. That is "LL's end". Anything outside of it, including outsourced systems, exists between the user and Linden Lab. Wrong! From the moment I give LL my email-address, taking care that that info doesn't leak is LL's responsibility. If LL choses to outsource certain things and handover my information to others, then whatever happens is *still* within LL's responsibility. I didn't enter into a contract with that other company, I don't even know that other company. So whatever information I give LL, it is solely their responsibility to safeguard it. They cannot deny responsibility because they outsource certain things. If LL choses an untrustworthy company to outsource things, then I'll blame LL for that.
  3. Last time I received one of these bulk emails from LL, it was about the Valentine's Gift. That one was sent using Amazon Simple Email Service (Amazon SES). One of the email-addresses on which I received the phishing-attack, didn't yet exist back then. I created that email-address about two weeks after the Valentine's Gift emails were sent by LL.
  4. Mail headers can only give you an (unreliable) indication from where the emails were sent. They do NOT give you an idea on how the email-addresses were acquired. And the latter part is the one that worries me. All 8 emails that I received appear to be originating from the same server. The WHOIS information on that IP is kinda weird. The IP-block appears to be registered to a company in Iceland, but the technical/abuse contact is listed as a person in Croatia. Even if the WHOIS information is correct, there is nothing to suggest that the legal owner of that server is actually responsible for this. Only a very, VERY stupid phisher would send emails from a server that can be traced back to him. In all likelyhood that server was hacked and then used to send out the emails. The emails were not sent directly from that server, but used various web-mailers as an intermediate step. Either using hacked accounts on those servers or accounts that were registered by the phisher himself for the sole purpose of sending out the emails from there. I saw emails from att.net, gmx.de, gmx.at, me.com, online.de and libero.it. To me this looks like a well-prepared attack. Unlike most phishing emails, the German text was almost flawless. That is VERY unusual for phishing emails. Even if a phisher wants to ultimately target all countries he would be wise to start a test in one country first. See what works and what doesn't and then move on to the next target-area. That way you can improve your attack while working through your pile of email-addresses. Targeting only one country may also be a problem of capacity. Sending out a huge volume of emails is technically difficult. Especially if your aim is to get it past as many spam-filters as possible. If you send too fast, you will trigger alarm bells all over the place.
  5. HoppytheWanderer wrote: I can think of a few things to try to correlate, to see if those might be related: 1. Do you have 'Auto Play Media' turned on? Turn it off. It's probably the worst security nightmare out there I can see. I've run into sim where there are objects "streaming" things like seo sites, and none will be the wiser if you don't look at currently playing media. I have no idea how secure the internal web browser is but I don't have high confidence in it. 2. Do you do any kind of object scripting that could expose your email address? Doesn't sound likely, or you'd have found it by now I'm betting 3. Are you hitting the same marketplace vendors with each alt? I've gotten spam from certain vendors before and while they didn't directly get my email, I wonder if there's a clever way they could use your usernmae info to get an email to you with the spam in it. 4. An related to #1, are the other people you know going to the same sim? Start checking the scripted objects in the area. Auto-Play Media is turned off. I agree with your opinion that it is a security nightmare. That's also why I have the internal browser disabled. I have the viewer configured to use Firefox. And that one has the NoScript plugin installed, so only sites approved by me get to run any Javascript or plugins like Flash in Firefox. Also, no object scripting that could expose my email-address either. And while I have a few favorite vendors from whom I bought stuff with several of my alts, I don't think that there is one that all the alts have bought from. Some of the alts haven't been used in a looooooong time. Probably half of them haven't agreed to the latest TOS yet. I haven't been using SL a lot lately. I shut down most of my operations a few months ago. I've been only logging in about once every 2 weeks since then.
  6. I have two actual email-accounts. Let's call them "myname@myprivatedomain.de" and "myname@myworkdomain.de". All the other email-adresses forward to one of those two. And all my email-adresses are on one of these two domains. Email for both domains is hosted on the same server and handled by the same program. So all the forwarding is done internally within this program. All my SL email-adresses are forwarded to "myname@myprivatedomain.de". Among a bunch of other aliases that also land in that inbox. Only the actual two mail-accounts will ever appear as my sender-adress. So I never sent any email from the email-adresses used exclusively for SL. These are receive-only. Some of the affected email-adresses are several years old, but the newest one was created in February of this year. So the leak must have happened sometime between now and late February. I have some adresses that are somewhat public knowledge. The "webmaster@" aliases for example. But also the actual account names. My work account is frequently used as a contact-adress on press-releases. None of those received these specific phishing emails. They get some spam and phishing of course, but they didn't get that specific phishing-email. None of my about 100 aliases got that one except the 8 ones used for SL. The only realistic possibility for those 8 ones to be targeted and none of the others is that the leak happened somewhere at LL. Or maybe at some subcontractor of SL that has access to them. Which would also make it LL's responsibilty IMO. Overall the email-adresses used for SL, account for a small amount of my incoming email. Probably in the 5-10% range. And of course my mail-client has auto-fetch of external images disabled. So don't even think of this being caused by some tracking-images in incoming emails. And yes, I do absolutely rule out "user error" on my part. If that were the case, then it would be very, Very, VERY unlikely that only the SL-adresses were affected. I've said it before, statistical probability for this being just a coincidence is about 1 in 186 billion.
  7. What do you want me to paste? Error-logs from LL's own servers that prove how they were hacked? I naturally do not have access to those. Or my own mail-server logfiles? Not gonna happen as that logfile contains private information that I'm not going to disclose. The header-lines of the emails? They also contain information that could identify me, and without that information the header-lines of the emails would be useless. And to state it yet again: I have 8 different email-adresses that I use for SL and for nothing else. All of them have received the same phishing-email. The emails differ only slightly in the link-URL (which contains the encoded email-adress) and they have several different senders. The text of the emails is the same in every single case. These 8 emails arrived over of a 4-hour timeframe yesterday. My affected email adresses each contain several random numbers that make it highly unlikely that they can be "guessed" by a brute-force attack. I'm hosting the mail-server myself, so my email-adresses can also not be found by hacking some 3rd-party email-provider. I have about 100 email-adresses in total. None of the non-SL adresses have received this phishing-email. Not a single one. The statistical chance of this being just a coincidence is about 1 in 186 billion. So for all practical purposes that rules out the possibility that my own server was hacked. Because if that were the case, not only the email adresses used for SL would be affected, but all of them. There are other reports here in this thread that people have received the same phishing-email to an email-account that they only use for SL. Now, what more do you want before you come out of denial? You are not helping at all here. So why don't you just do what you promised several times, and just leave this thread alone?
  8. I agree about the link. I would even go a step further. Ivor, you should remove everything before the gff23.com and everything after the "?". Because quite frankly, by posting that link you actually told everyone here your email-adress. It's encoded in the link. And Freya, I see you still think that this is not SL's fault, even though every single piece of evidence is clearly pointing in that direction.
  9. You are not just unable to see it, you are UNWILLING to see it. And that is why you try to ridicule me. Doesn't work. You are only ridiculing yourself.
  10. I'll try again: I have received today's phishing-attack on 8 email-adresses. All of them are used only for SL. So only two parties should know these adresses. Me myself and LL. If the leak were on my side, why were the email-adresses used for SL affected and NONE of the other ones? We are talking about 8 out of about 100 adresses. If the leak were on my side, then the affected email-adresses should be random picks out of the available pool. A little skewed probably depending on how much I use the various adresses. But still close to being random. And for a random pick of 8 out of 100 we are talking about a chance of 1 in 186 billion that it is just coincidence that these specific 8 were picked. And 1:186bn is about 1000 times less likely than hitting the jackpot in a lottery. That makes the other explanation, that the leak happened at LL look MUCH more likely. As for people getting phishing-emails who are not on SL: I'm not surprised. Every phishing-attack can have multiple sources of email-adresses. And there are probably several different phishing-attacks against PayPal running at any given time. And as for how I sound: I didn't come here to offend anyone. But I also didn't come here to be offended by someone plainly denying the evidence and saying that the fault probably was my own when the evidence clearly states otherwise. I'm not actually blaming LL for what happened. They are big enough that they are a high-profile target for hackers. And that means sooner or later someone will get you. I posted here so that they'll know about this and can start looking for how it happened. Because that's the only way to make sure that it doesn't happen again.
  11. Freya: It looks like you simply do not want to accept the facts. 1) ALL my SL-email accounts have received the phishing mail. 2) NONE of my other email-accounts have received it. I brought up my PayPal account, because that's what's being targeted. And because if someone were somehow scanning my ingoing/outgoing email for something to do with PayPal (because that's what they are targeting), then those other email-accounts would be affected as well. I HAVE investigated this. I checked my mailserver-logfiles. Nothing unusual there. Sure, the occasional attempt to send an email to a non-existing adress. But nothing even close to the amount necessary to guess email-adresses that look something like this: "nicolette926478474@somedomain.de" You would need millions of attempts to guess such an email-adress. And I would have found such a large-scale attack in my mailserver-logfiles. Plus if someone were to run such a huge attack, then why didn't they stumble on one of my other email-accounts too? I am not a noob when it comes to security. I administer webservers for more than a decade now. I take security VERY seriously. LL's payment processor has (or at least used-to have) all the SL email-adresses that are used with PayPal or credit-card payments to LL. I consider this a low-probability though. In the past your email-adress would be listed on the checkout-page of the payment-processor. Currently this is no longer the case. And one of the affected email-adresses is relatively new. So I doubt that LL's payment processor has ever seen this one. I hadn't thought about that before. That leaves LL itself as the likely origin of the leak.
  12. If my incoming/outgoing data had been listened to, then not only SL adresses would be affected. I just checked and less than 5% of my emails are SL-related. I have also used PayPal in connection with some of the other email-adresses. Several web-hosters for example where I pay with PayPal. None of those email-adresses are affected. So if someone were to attack all my emails that have a connection to my PayPal usage, then why aren't those affected? Why are NONE of my other email-adresses affected? So far I see all but one of my SL-emails affected. And none of my other emails. To me the simplest possible explanation for this is that the email-adresses somehow leaked from SL. Edit: Now ALL my SL-emails have received the phishing email. Still NONE of my other email-accounts have received it.
  13. I'm not saying that SL is doing these phishing-attacks. They are certainly NOT doing that. I'm saying that they should try to find out how the data leaked from them. Either from them or their payment processor. Oh... and the 100 email adresses are useful. At least now I know where the leak came from. I can change the affected adresses, disable the old ones, and will not get any phishing/spam to them in the future.
  14. I do not use MS Exchange. I use hMailServer. The email-adresses can't just be "guessed" by some attacker. They are all in the form of "sl_user_firstnamexxxxxx@mydomain.de" where "xxxxxx" consists of several random digits. While the mail-server does respond with an error-message when trying to send to a non-existent email-adress, this would be of no help here to the phisher. Simply because if someone had guessed these email-adresses, then not only my SL email-adresses would be affected, but others too. And that is not the case. Only email-adresses used for SL are affected. And I have about 100 others. I use a seperate email-adress for every place where I have to give an email-adress. The chances that someone guessed several of my SL email-adresses, but NONE of the others are basically zero.
  15. Today I have received emails with PayPal phishing-attempts to several email adresses that I have ONLY used for Second Life. So far 5 email adresses (one for every Alt) have been affected. All phishing emails tried (unsuccessfully!) to lure me to a subdomain of gff23.com to "update my PayPal information". The subdomain differs between emails. The emails have been in German, but my location can easily be deduced from the domain-name of my email ending in ".de". I want to point out again that these email-adresses were NEVER used for anything else but SL. These emails were NEVER used for PayPal. They were only used for registering the various SL accounts. SL: You have a serious data-leak here! I had a similar problem about 2 years ago if I remember the timeframe correctly. Back then also only emails used for SL were affected. But back then it wasn't PayPal-phishing, just general spam-mails, in most cases for some casino or other. Do not even try to suggest that I myself am responsible for the leak of these email-adresses. My computers are secure. I have been an IT-professional for 20+ years. I host the mail-server myself. And NONE of my other email-adresses are affected by this. Only email-adresses used for SL. And the ones affected were never used for anything but SL.
  16. Today I have received emails with PayPal phishing-attempts to several email adresses that I have ONLY used for Second Life. So far 5 email adresses (one for every Alt) have been affected. All phishing emails tried (unsuccessfully!) to lure me to a subdomain of gff23.com to "update my PayPal information". The subdomain differs between emails. The emails have been in German, but my location can easily be deduced from the domain-name of my email ending in ".de". I want to point out again that these email-adresses were NEVER used for anything else but SL. These emails were NEVER used for PayPal. They were only used for registering the various SL accounts. SL: You have a serious data-leak here! I had a similar problem about 2 years ago if I remember the timeframe correctly. Back then also only emails used for SL were affected. But back then it wasn't PayPal-phishing, just general spam-mails, in most cases for some casino or other. Do not even try to suggest that I myself am responsible for the leak of these email-adresses. My computers are secure. I have been an IT-professional for 20+ years. I host the mail-server myself. And NONE of my other email-adresses are affected by this. Only email-adresses used for SL. And the ones affected were never used for anything but SL.
  17. Ela Talaj wrote: I send to my customers mailing list once a month and sometimes none in two months... lol... cuz I forget about it or too busy to write a newsletter and still some (small percentage though) complain of "spam". That is because if they didn't explicitly opt-in to receive your newsletter it IS spam! It annoys me massively when I have to click "Discard" to various notecard or texture offers when I login. I never subscribed to any of these newsletters and yet I get about a dozen. The real "highlight" are the ones that do not include information about how to unsubscribe or who continue to send me newsletters after I have unsubscribed AND gotten confirmation that I have been removed from their list. I have two very simple rules about these newsletters. If I didn't subscribe to them I will send an abuse report, and will NEVER EVER buy from that shop again. And IMO this is what everyone should do. The whole annoying problem would disappear very quickly. Please note that I have absolutely no problem with such newsletters if I have explicitly opted-in. In that case it would have been my own conscious decision that I want to receive it.
  18. Ok, a script can only send money from the owner of the script to someone. So whatever script did this it must have been owned by the original poster. This does NOT look like there was an invisible prim put over the vendor. To me this looks much more like someone found a way to add a malicious script to the vendor. To the original poster: You may want to check your vendor. Actually all of them. That script may still be in there. But if the author of the script was even halfway intelligent, then the script will have deleted itself after it was done sending the money. I can think of only two ways this could be done. If the vendor has an update-function then that may have been used to inject a malicious script. Not by the creator of the vendor but by someone who managed to somehow get the PIN needed to allow this. The other way would be to "give" the script to the vendor. In theory simply resetting scripts should not set the new script running. According to the documentation you will need to recompile the script or take the object into inventory and re-rez it.
  19. You really don't seem to get it, do you? Let me explain... Avatar XYZ views an obscure product offered by merchant ABC on Marketplace. So obscure in fact that XYZ is the only person on that day to watch that page. Even further, XYZ buys that product. Now merchant ABC has the name of avatar XYZ in his/her transaction log. And with Google Analytics merchant ABC would also have the IP-adress of XYZ. I dont like this scenario. It can be abused. And that means it WILL be abused! I agree with you that most merchants would not abuse this. But it only takes ONE bad guy. Second Life relies A LOT on the fact that avatars can't be traced back to their RL identities. If that separation breaks down it will hurt SL deeply.
  20. If anybody besides LL would have access to the IPs of people who are visiting MP pages, then I'm STRONGLY OPPOSED to that!!! Has everybody already forgotten the privacy implications of this? Have all (well... most) of you already forgotten the Redzone and Emerald scandals? Well, looks like it's about time to remind you of those. To make things absolutely clear to merchants and to LL: If I ever see Google Analytics on any Marketplace page, then that will be the moment I'm gonna stop using Marketplace! It is my decision where to spend my money. And I will NOT spend my money on people who try to invade my privacy! BTW: Ann Otoole is not the only one who has Facebook blocked in their Hosts file. All Facebook domains resolve to 127.0.0.1 on my computers. And I have Javascript disabled for all but trusted sites too. And Google is NOT trusted by me.
  21. Sassy Romano wrote: Just like the one dance ball vendor who adds you to the list automatically when you visit the shop and refuses to take you off when asked in IM. "I'm too busy, send a notecard" was the reply. "Um, but i've just asked you right now, why send a notecard?" said I. Then it was claimed that I was muted for daring to ask to be removed from a spam list that I didn't ask to be put on in the first place. Far too mant dysfunctional merchant practices in SL unfortunately. Ah yes. I know that vendor. I think that one was the first one ever that *I* muted :-)
  22. I second this. I already stopped buying from several merchants because of this. One has even been one of my favorites before they started spamming me with regular updates via inventory-offers. I am NOT going to tolerate of even encourage this kind of behavior by continuing to give them my money.
  23. I just came across this: http://www.sys-con.com/node/1878888 Excerpt: "Scientists from the Darmstadt Research Center for Advanced Security (CASED) have discovered major security vulnerabilities in numerous virtual machines published by customers of Amazon’s cloud. From 1100 public Amazon Machine Images (AMIs), that are used to provide cloud services, about 30 percent are vulnerable, allowing attackers to manipulate or compromise web services or virtual infrastructures." Given that LL uses AWS a lot that may be an explanation on how data could leak. 
  24. Oh, one more thing that I forgot to mention... Of my 3 affected accounts 2 are pretty old. I entered the credit-card data there a looong time ago. Meaning 2+ years ago. Only for the 3rd affected account do I remember seeing the local payments options. So despite the fact that I used my credit-card on all 3 accounts during the last 6 months (and also on another account to whose email-address I did NOT get any spam-mails), at least for the 2 older accounts I'm not sure if these payments were actually handled by Dragonfish or maybe by some older system.
  25. There has been a new post in the blog Head Shakers From A Metaverse about all this and there are some points in that post that I want to comment on. I'm doing it here instead of in the blog because I would like to keep all the information in one place. "If an email address is used for Second Life only, the last time it was probably entered anywhere was when the email account on the Second Life website was updated – assuming people pull their emails down to an email client or it will be used to log into the mail provider if accessed via the web. Although, web access does increase the chance that spyware could capture it." It is correct that I have entered my SL email-address only once on account-creation. I use the standard email-client on Mac OS and on my iPad to access my email. The email-address (well, 3 actually) in question isn't an actual email-account, but an email-alias. That means I can receive email on that address, but not send from it. Incoming email gets "forwarded" to a real account. But of course the incoming emails sit in my Inbox with that SL-only address in the "To:" field of the email. So in theory if some spyware were to access my email-data it could see that email-address. I do get a lot of emails to the address used for SL, but I do get even more emails to my other addresses. So if a spyware were to collect addresses from my Inbox, then it is reasonable to assume that addresses which have NOT been used for SL would be affected too. But they are not. Only 3 addresses used for SL have received the spam-mails. And 2 of those 3 have never been used for anything but SL. The other one dates back to a time before I started to use a separate email-address for every account I create somewhere. "Those who have identified the spam emails claim their machines are spyware free. Although none have yet said if they run scheduled checks and if they’ve reviewed the logs down the last few months to see if anything has been picked up." On my Windows machine Microsoft Security Essentials is running, checking opened applications and files all the time and running regular scans of the entire machine. It has never found anything. I don't bother doing any checking on my Mac. I ran the full scan on the Mac with Bitdefender on thursday just to have a clear argument that spyware is not the cause of this. "As Linden Lab are so publicly committed to protecting our data, I would have expected them to contact those who are currently claiming that spyware is not the cause of this to ask them for the emails, to check their logs to see if any spyware has been removed in the last few months and to ask them where they use the email addresses in question." I have in fact been contacted by JP Linden on wednesday, asking me to send him a copy of the spam-mail which I did. He also asked me to forward anyone to him who has the same problem. I was contacted via IM by someone else later that day and did give her JP's name. As far as I am aware she did send him an IM. "Given another week this will have passed from most memories and this will have been just another blip on the horizon." Won't happen. Because i will not LET it happen. I will of course give LL a bit more time to get to the bottom of this as I am aware that it won't be easy for them to figure out. But if/when I get the impression that enough time has passed for them, then I will take this up a notch and contact some local computer magazines. They have done articles about the RL-me in the past, so they'll know that I'm not someone to make these accusations lightly. I'm sure they'll pick up this story. Privacy is a BIG topic here in Germany. These are some of the biggest computer magazines in Germany and them covering this story will be BAD news for LL. Also I think a post on Slashdot may also get some coverage. Not sure about that though as I have never tried to get a story on Slashdot before. Could just as well be that this just isn't big enough for them.
×
×
  • Create New...