Wolfspirit Magic

That is one thing a professional Attacker might hope for: People that don't think of a data leak cause they did not get a message and don't think it's logical to not target everyone at once. Why is it so hard to believe that someone might not attack everyone at once? Still nobody says, that germany is the only target. As the mail was in german the current wave looks like german only. The attacker might go and write a new mail in another language for another country soon. There are many points a region based target is better for the attacker then attacking everyone at once: - Localized Mail targets more people of that country then a default english mail. - There might be a much lesser "Be careful there is phishing going on" warning inside the community. And mostly only within that region (germany for example). Once that has sattled down the next wave in another country mostly comes without a warning. - The servers the attacker is using might not be able to handle so much traffic to target everyone. - The company the data was leaked from (in this case possibly LL) might not assume a data leak, as the requests only comes from part of the sl community and in this case many germans don't speak english so they don't go and contact LL, but just delete the mail. As I said before the mails were not linked to paypal and got a paypal phishing attempt anyways. They were used only for Secondlife. I don't really understand your point with "One's e-mail address need not be linked to an existing PayPal account".

Nobody says, that the person behind the phishing attempts targets exclusive paypal or germany. It might be one of many waves. Who knows if the person might do a different region with a different mail (belgium or france for example) and another payment method in a month? The message was in German, there is no reason for the attacker to send the mail to everyone. All my other mailadresses (even my main google apps address) don't get many spam (maybe 2 mails per day, directly send to the spam folder, as it was the case with that mails, too) while I've 6 catchall domains and a googlemail address associated with it. That means, that I don't get much spam and I even take a look at what kind of spam I get. Otherwise I wouldn't have noticed. I use different catchall addresses nearly for every service. That means, that Google directly doesn't even know what mailaddress I use. Google just knows that it needs to redirect "*@mydomain.de" to my main google apps account. Sometimes (like in this case) I just use random characters. For example "lraa@mydomain.de", "exfg@mydomain.de","ssdv@mydomain.de", "blah@mydomain.de" are mailaddresses I use for different services or altaccounts. I mostly don't even know what mailaddress I entered for a special account. But that also means, that I can distinguish incomming mails by the mailaddress it was send to. The account was registered in 2009 and since then I only got mails from SL. No single Spam. But the phishing mail two days ago was send to the mailaddress used for secondlife (lraa). None of the others (exfg, ssdv, blah...). The only way Google could have known the mailaddress is, cause I already got mails from Secondlife to that mailaddress. There is a very little possibility that the leak came from there. But the leak is much more possible coming from LL. I also had a user who got that mail to a mailaddress which has nothing to do with secondlife but as I asked if the mailaddress was ever used for secondlife a while ago he said "yes, it was used for Secondlife but was then changed". That does mean that a leak might not be data from today but from a while ago. Around 80% of german people I asked in secondlife got that mail, while 0% of people I asked outside of SL got it. You mean LL is much more trustworthy then my ISP or Google? I don't think so. We all know that LL is not very transparent with what they do and what they don't do. In 2011 there was something similar happening and LL said it's spyware on the computers of the people getting the spam. Ignoring many people who say, that they do not have any spyware and have tried many different antivirus solutions non of them found anything. The fact, that it even targets e-mail aliases does speak pretty much against spyware as the alias usually is not configured anywhere. http://community.secondlife.com/t5/General-Discussion-Forum/Client-Data-leaks-from-LL/td-p/893203/page/6 It sure can be possible that the leak still is data from years ago. But did you get ANY information about a possible data leak back then? I didn't. In my personal opinion LL acts much more intransparent then any other company I know of and I assume that they will tell people that everything is caused by spyware on their computer again... (P.S.: Everything I wrote is my personal opinion)

Domain actually is relevant. If I'd have a big list of mailaddresses, I would at first choose one region (and not english .com as that will be to obvious if I got the mails somehow from an english/american company), write a mail in that language, choose one widly used payment method and ask the user for more information. Who knows if the attacker maybe just got the german addresses somehow? The mail itself is not written in the usual "bad german" (except of a few typing issues), but even had html formatting in it. At the first view the mail looks professional. As a professional attacker is not interested in SecondLife Accounts but the money on the paypal accounts, I don't know why you think it's telling that the attempt was for Paypal. Who in SL does not use Paypal? The website behind the phishing even wrote the mailaddress into the fake login form. The attacker seems to assume, that everyone who uses the mailaddress also uses it for paypal, which was wrong for both my cases. As I said earlier the mailaddress I used was some random characters for registration in Secondlife (e.g. lraa@mydomain.de). I never used that mail anywhere else (no paypal or any other side, not even set up as specific mailaccount as it's a catchall address). The only 3 parties who knew it were LL, Google as my mail provider (but only cause of the mails I already got from LL) and LL itself. Once I clicked that link (for testing purpose) the fake paypal form showed "lraa@mydomain.de" as login. That means the attacker does not know if there even is a paypal account behind it. However the malicious script seems to be removed from the domain and the server was reinstalled (looks like). Maybe the server was hacked and the owner found that. Still it feels weird that

Do you have a ".de" Mailaddress? If no, then this will explain why you did not get that phishing attempt. All my other Mailadresses with ".eu" Domain did not get it. Just the two with ".de". And it has nothing to do with paypal as the Mailaddress I used was never used for paypal. In my opinion it's an attempt on many german Secondlife mailaddresses focusing on people who might use paypal (like many people in secondlife do). Nearly every german friend I talked to yesterday got that mail to their SL Mailaddress, no matter if they use paypal or not. It's not just one. I send the plain mail to secure@lindenlab.com but didn't got a response yet. Not sure if that account even is checked. I might open a jira ticket maybe.

As a response to my Group Notice send out according to paypal phishing in the official Firestorm Support Group for Germany, I got many responses of people who got that mail. Everyone who got that mail, got that mail via a mailadress either used or was used for Secondlife. Also nearly every (german) friend of me got that Mail, too. I assume that especially mailadresses with ".de" were targeted as the mail is written pretty well in german. Once you enter data into the form, the link gets invalid and redirects to google with the search query "paypal.de" for me, which is a wrong redirection in the attackers sourcecode in my opinion (redirect to paypal.de not http://paypal.de for example, which fires the local search engine). I assume that the attacker has a database with all mailadresses he send out and checks if the link was used before. (the mail is encoded via base64 in the url) Supportchat of LL is not helpful and told me that he can't do anything and that only staff can see the mailadress and that the staff does not send out phishing mails (great support). However there were mails going to LL and I hope there's a response soon.

Today I got two german Paypal phishing mails. Both are mailadresses used for Secondlife. The problem is that one of the mail adresses is ONLY used for Secondlife. I've my own domain and I registered an alt account with random characters as name (catch-all, so not listed anywhere). I never entered that mailadress anywhere else then the registration form of secondlife. NEVER. The only thing I get on that mail are secondlife things and nothing else except the paypal spam today. I'm using Google Apps. I am more sure then anything that the phishers got the mailadress from Secondlife. There is NO way that it comes from anywhere else. According to support chat only staff can see mailadresses and I personally feel like there is a big privacy issue going on here.