Widespread Email Compromise at Yahoo/Xtra

Forums › Spark New Zealand (including Skinny and BigPipe) › Widespread Email Compromise at Yahoo/Xtra

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | ... | 13

20521 posts

Uber Geek
+1 received by user: 4798

#759602 11-Feb-2013 16:10

cyril7: Hi Mike, you will not see anything in the sent items folder even on the web interface, your contacts list was harvested by this rouge who then sent the emails outside of the Yahoo system.

Cyril

Although it still goes though the outgoing yahoo servers, as can be seem in the email headers. They probably are just bypassing the webmail interface with their own scripts.

sleemanj

1515 posts

Uber Geek
+1 received by user: 318

#759603 11-Feb-2013 16:12

cyril7: Hi Mike, you will not see anything in the sent items folder even on the web interface, your contacts list was harvested by this rouge who then sent the emails outside of the Yahoo system.

All the headers I've seen indicate that the Yahoo SMTP servers were the ones delivering from victim to recipient.

Yahoo is/were the ones delivering the spam from their network. Which indicates that either
1. they were open relay - unlikely
2. the attack used the webmail system to send
3. the attack was able to harvest (or change) username/password and authenticate to the SMTP server
4. the attack used their own yahoo account to send a joe-job

I'd say 2 or 3 were most likely.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

cyril7

9075 posts

Uber Geek
+1 received by user: 2499

ID Verified

Trusted

Subscriber

#759607 11-Feb-2013 16:14

ok ok, but essentially it was not processed as usual, so does not appear in your sent folder.

Cyril

MikeSkyrme

272 posts

Ultimate Geek
+1 received by user: 37

Trusted

#759608 11-Feb-2013 16:15

sleemanj:
cyril7: Hi Mike, you will not see anything in the sent items folder even on the web interface, your contacts list was harvested by this rouge who then sent the emails outside of the Yahoo system.

All the headers I've seen indicate that the Yahoo SMTP servers were the ones delivering from victim to recipient.

Yahoo is/were the ones delivering the spam from their network. Which indicates that either
1. they were open relay - unlikely
2. the attack used the webmail system to send
3. the attack was able to harvest (or change) username/password and authenticate to the SMTP server
4. the attack used their own yahoo account to send a joe-job

I'd say 2 or 3 were most likely.

Cyril, Andy, Matt, James, thank you for the explanantions.

Michael Skyrme - Instrumentation & Controls

networkn

Networkn
32879 posts

Uber Geek
+1 received by user: 15481

ID Verified

Trusted

Lifetime subscriber

#759615 11-Feb-2013 16:30

We just got a flood of new xtra.co.nz ones and customers have started calling again!

wasabi2k

2102 posts

Uber Geek
+1 received by user: 860

#759629 11-Feb-2013 16:58

Well done - you're on slashdot... tech.slashdot.org/story/13/02/11/0029201/widespread-compromise-of-yahoo-backed-email-in-new-zealand

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

MackinNZ

450 posts

Ultimate Geek
+1 received by user: 119

Lifetime subscriber

#759646 11-Feb-2013 17:20

The problem is NOT fixed, spam messages from Xtra/Yahoo are still arriving as of 4.30 pm today. Same type of message.

LennonNZ

2459 posts

Uber Geek
+1 received by user: 411

ID Verified

Trusted

#759671 11-Feb-2013 17:59

The "incident" has hit slashdot now (The top story) and this thread is linked off it :-) Look out geekzone.

I got /.ed once .. Wasn't very nice :-)

freitasm

BDFL - Memuneh
80672 posts

Uber Geek
+1 received by user: 41123

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#759673 11-Feb-2013 18:01

Thanks again to whoever posted the link. And don't worry, /. is not what it used to be...

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

mattwnz

20521 posts

Uber Geek
+1 received by user: 4798

#759680 11-Feb-2013 18:12

TVNZ has it as one of their top stories, and they said it was now fixed.

aspired

33 posts

Geek
+1 received by user: 46

ID Verified

Trusted

2degrees

#759858 12-Feb-2013 05:59

They defiantly still have issues, maybe the exploit has been resolved, but plenty of email accounts are still compromised.
MTA's I monitor have been receiving 200+ spam emails an hour all night from Xtra & Yahoo addresses.

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

KiwiTT

123 posts

Master Geek
+1 received by user: 7

#759882 12-Feb-2013 08:52

I have changed my username password on Yahoo, do I also need to change my username.xadsl password as well.

Desktop: Playtech Core i7-920 / Windows 7 64-bit Ultimate
Laptop: IBM T41 Pentium-M / Windows XP 32-bit Professional
Smartphone: Apple iPhone 5 64GB / iOS 6.1.0

Klathman

302 posts

Ultimate Geek
+1 received by user: 78

#759886 12-Feb-2013 09:00

Looks like round two of the phishing attacks have started.

My parent's business received a call from "Telecom" telling them that they needed to change their broadband and email passwords. Funny thing is that while they're with Telecom their email is on the business platform which I believe is unrelated to Yahoo.

I got a panicked call about it so told them it was likely fake and to ring back Xtra to get confirmation.

If it does turn out true though it will change the hack substantially.

andynz

360 posts

Ultimate Geek
+1 received by user: 28
Inactive user

#759891 12-Feb-2013 09:07

Klathman: Looks like round two of the phishing attacks have started.

My parent's business received a call from "Telecom" telling them that they needed to change their broadband and email passwords. Funny thing is that while they're with Telecom their email is on the business platform which I believe is unrelated to Yahoo.

I got a panicked call about it so told them it was likely fake and to ring back Xtra to get confirmation.

If it does turn out true though it will change the hack substantially.

Thanks for letting us know. Sounds like people in NZ are getting on the bandwagon maybe? Guess it reminds everyone not to respond to unsolicited communication.

Hopefully Xtra will be a bit more proactive today in informing all Xtra/ADSL users via the press, emails etc.

plambrechtsen

1948 posts

Uber Geek
+1 received by user: 459
Inactive user

#759920 12-Feb-2013 10:03

Hey everyone, sorry I have been MIA yesterday. Was a tad of a crazy day.

I'll be online a bit more today.

If anyone has any recent spam they got today or late last night ideally could you forward the full email including the headers to our team mailbox ort@telecom.co.nz and I will forward them on.

If you're using a web-mail client you can find some instructions here:

http://telecom.custhelp.com/app/answers/detail/a_id/4019

If you're using a full client such as Outlook or Thunderbird on your computer

http://telecom.custhelp.com/app/answers/detail/a_id/14504

It's still being actively investigated and some recent spam emails including full headers would be extremely useful.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | ... | 13