Widespread Email Compromise at Yahoo/Xtra

Forums › Telecom New Zealand, XT Network, Yahoo!Xtra › Widespread Email Compromise at Yahoo/Xtra

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13

4269 posts

Uber Geek

Reply # 759602 11-Feb-2013 16:10
cyril7: Hi Mike, you will not see anything in the sent items folder even on the web interface, your contacts list was harvested by this rouge who then sent the emails outside of the Yahoo system. Cyril Although it still goes though the outgoing yahoo servers, as can be seem in the email headers. They probably are just bypassing the webmail interface with their own scripts.

sleemanj

900 posts

Ultimate Geek

Reply # 759603 11-Feb-2013 16:12
cyril7: Hi Mike, you will not see anything in the sent items folder even on the web interface, your contacts list was harvested by this rouge who then sent the emails outside of the Yahoo system. All the headers I've seen indicate that the Yahoo SMTP servers were the ones delivering from victim to recipient. Yahoo is/were the ones delivering the spam from their network. Which indicates that either 1. they were open relay - unlikely 2. the attack used the webmail system to send 3. the attack was able to harvest (or change) username/password and authenticate to the SMTP server 4. the attack used their own yahoo account to send a joe-job I'd say 2 or 3 were most likely. --- James Sleeman My hobby - listing small amounts of interesting/useful hobby electronic components hardware and stuff on Trademe for cheap, all good geek stuff for the "maker" revolution ;-) Tip for Trademe addicts: install an addon for your browser to get thumbs for all listings.

cyril7

5678 posts

Uber Geek

Trusted

Subscriber

Reply # 759607 11-Feb-2013 16:14
ok ok, but essentially it was not processed as usual, so does not appear in your sent folder. Cyril

MikeSkyrme

209 posts

Master Geek

Trusted

Reply # 759608 11-Feb-2013 16:15
sleemanj: cyril7: Hi Mike, you will not see anything in the sent items folder even on the web interface, your contacts list was harvested by this rouge who then sent the emails outside of the Yahoo system. All the headers I've seen indicate that the Yahoo SMTP servers were the ones delivering from victim to recipient. Yahoo is/were the ones delivering the spam from their network. Which indicates that either 1. they were open relay - unlikely 2. the attack used the webmail system to send 3. the attack was able to harvest (or change) username/password and authenticate to the SMTP server 4. the attack used their own yahoo account to send a joe-job I'd say 2 or 3 were most likely. Cyril, Andy, Matt, James, thank you for the explanantions. Michael Skyrme - Instrumentation & Controls

networkn

4757 posts

Uber Geek

Trusted

Subscriber

Reply # 759615 11-Feb-2013 16:30
We just got a flood of new xtra.co.nz ones and customers have started calling again!

wasabi2k

173 posts

Master Geek

Reply # 759629 11-Feb-2013 16:58
Well done - you're on slashdot... tech.slashdot.org/story/13/02/11/0029201/widespread-compromise-of-yahoo-backed-email-in-new-zealand

MackinNZ

177 posts

Master Geek

Subscriber

Reply # 759646 11-Feb-2013 17:20
The problem is NOT fixed, spam messages from Xtra/Yahoo are still arriving as of 4.30 pm today. Same type of message.

LennonNZ

Just A Geek
1582 posts

Uber Geek

Trusted

Subscriber

Reply # 759671 11-Feb-2013 17:59
The "incident" has hit slashdot now (The top story) and this thread is linked off it :-) Look out geekzone. I got /.ed once .. Wasn't very nice :-)

freitasm

BDFL
43785 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 759673 11-Feb-2013 18:01
Thanks again to whoever posted the link. And don't worry, /. is not what it used to be... Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

mattwnz

4269 posts

Uber Geek

Reply # 759680 11-Feb-2013 18:12
TVNZ has it as one of their top stories, and they said it was now fixed.

aspired

5 posts

Wannabe Geek

Reply # 759858 12-Feb-2013 05:59
They defiantly still have issues, maybe the exploit has been resolved, but plenty of email accounts are still compromised. MTA's I monitor have been receiving 200+ spam emails an hour all night from Xtra & Yahoo addresses.

KiwiTT

67 posts

Master Geek

Reply # 759882 12-Feb-2013 08:52
I have changed my *username* password on Yahoo, do I also need to change my *username*.xadsl password as well.

Klathman

86 posts

Master Geek

Reply # 759886 12-Feb-2013 09:00
Looks like round two of the phishing attacks have started. My parent's business received a call from "Telecom" telling them that they needed to change their broadband and email passwords. Funny thing is that while they're with Telecom their email is on the business platform which I believe is unrelated to Yahoo. I got a panicked call about it so told them it was likely fake and to ring back Xtra to get confirmation. If it does turn out true though it will change the hack substantially.

andynz

166 posts

Master Geek

Reply # 759891 12-Feb-2013 09:07
Klathman: Looks like round two of the phishing attacks have started. My parent's business received a call from "Telecom" telling them that they needed to change their broadband and email passwords. Funny thing is that while they're with Telecom their email is on the business platform which I believe is unrelated to Yahoo. I got a panicked call about it so told them it was likely fake and to ring back Xtra to get confirmation. If it does turn out true though it will change the hack substantially. Thanks for letting us know. Sounds like people in NZ are getting on the bandwagon maybe? Guess it reminds everyone not to respond to unsolicited communication. Hopefully Xtra will be a bit more proactive today in informing all Xtra/ADSL users via the press, emails etc.

plambrechtsen

904 posts

Ultimate Geek

Trusted

Telecom NZ

Reply # 759920 12-Feb-2013 10:03
Hey everyone, sorry I have been MIA yesterday. Was a tad of a crazy day. I'll be online a bit more today. If anyone has any recent spam they got today or late last night ideally could you forward the full email including the headers to our team mailbox ort@telecom.co.nz and I will forward them on. If you're using a web-mail client you can find some instructions here: http://telecom.custhelp.com/app/answers/detail/a_id/4019 If you're using a full client such as Outlook or Thunderbird on your computer http://telecom.custhelp.com/app/answers/detail/a_id/14504 It's still being actively investigated and some recent spam emails including full headers would be extremely useful. I work for Telecom, but as always my views are my own.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13