Has Xtra email been breached again?

Forums › Spark New Zealand (including Skinny and BigPipe) › Has Xtra email been breached again?

1 | 2 | 3 | 4 | 5 | 6 | 7

196 posts

Master Geek
+1 received by user: 6

#797005 10-Apr-2013 10:21

plambrechtsen: For those that have had their accounts used for spamming. If you could login to the Yahoo Login History page:

https://api.login.yahoo.com/login/history

And then email me the results of that (changing the dropdown from location to IP address) I would be interested to know. Again to "pl at telecom.co.nz".

Plus any recent spam sent or received from the xtra or yahoo.co.nz domains would be appreciated. And as always mail headers are essential :)

We are continuing to work with our partner Yahoo on this......

I have sent this to you in full

the suspect lines read as follows

Yesterday1:29 PMBrowserMail AccessDominican Republic

1:29 PMYahoo!Xtra MobileLogged InDominican Republic

Hotcode Designs Ltd - For all your Website and Graphic Design Needs - http://www.HotcodeDesigns.co.nz

humvee

196 posts

Master Geek
+1 received by user: 6

#797010 10-Apr-2013 10:28

humvee:
plambrechtsen: For those that have had their accounts used for spamming. If you could login to the Yahoo Login History page:

https://api.login.yahoo.com/login/history

And then email me the results of that (changing the dropdown from location to IP address) I would be interested to know. Again to "pl at telecom.co.nz".

Plus any recent spam sent or received from the xtra or yahoo.co.nz domains would be appreciated. And as always mail headers are essential :)

We are continuing to work with our partner Yahoo on this......

I have sent this to you in full

the suspect lines read as follows

Yesterday1:29 PMBrowserMail AccessDominican Republic 1:29 PMYahoo!Xtra MobileLogged InDominican Republic

6 Apr, 20138:14 AMBrowserLogged In194.51.125.2

6 Apr, 20137:55 AMBrowserLogged in to Mail194.51.125.2

Hotcode Designs Ltd - For all your Website and Graphic Design Needs - http://www.HotcodeDesigns.co.nz

ajobbins

5053 posts

Uber Geek
+1 received by user: 1279

Trusted

#797038 10-Apr-2013 11:27

Damager: Got spam also from a friend on xtra.. Thing is, just talking to her now.. She closed that Xtra account 3 years ago.. Why are these accounts still open?

It's pretty clear that that accounts are not being compromised by phishing. With people who never access or use their accounts getting hacked they are obviously getting in another way.

It seems Yahoo's approach of simply changing the password doesn't work. It's just a band aid. Clearly it slows the hackers down but as people are reporting, they are getting back in.

This is just a joke, as is that latest press release from Telecom. They say they are working to implement an easier system to alert people when they get hacked, but seem to be ignoring the fact that the Yahoo mail platform seems fundamentally vulnerable.

Twitter: ajobbins

freitasm

BDFL - Memuneh
80657 posts

Uber Geek
+1 received by user: 41068

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#797050 10-Apr-2013 11:37

As I said in my blog post, when I contacted Yahoo! to clarify the misinformation they claimed was going around during the first occurrence of this problem, they replied with this:

"It’s not appropriate to disclose that information as these details could be misused and may assist a hacker in the future."

So either they had no intention of fixing it, or had no idea what was happening and how to fix it, or something along these lines.

Security by obscurity doesn't work.

Telecom should clearly spell out in the contract the Yahoo! should get things fixed.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

networkn

Networkn
32871 posts

Uber Geek
+1 received by user: 15466

ID Verified

Trusted

Lifetime subscriber

#797051 10-Apr-2013 11:38

ajobbins:
Damager: Got spam also from a friend on xtra.. Thing is, just talking to her now.. She closed that Xtra account 3 years ago.. Why are these accounts still open?

It's pretty clear that that accounts are not being compromised by phishing. With people who never access or use their accounts getting hacked they are obviously getting in another way.

It seems Yahoo's approach of simply changing the password doesn't work. It's just a band aid. Clearly it slows the hackers down but as people are reporting, they are getting back in.

This is just a joke, as is that latest press release from Telecom. They say they are working to implement an easier system to alert people when they get hacked, but seem to be ignoring the fact that the Yahoo mail platform seems fundamentally vulnerable.

I agree with this. Whilst the efforts of the staff who frequent this forum are appreciated, it beggars belief (Or is it actually back to the bad old days of Telecom behaviour) that Xtra continue to take such a passive approach to it. It's hard to believe they could not monitor this and be a little more honest and forthcoming.

It's either been mismanaged or they don't have the control they should have over the situation.

My belief is that XTRA is quite fundamentally separated from the Yahoo management of their email which isn't good business.

networkn

Networkn
32871 posts

Uber Geek
+1 received by user: 15466

ID Verified

Trusted

Lifetime subscriber

#797052 10-Apr-2013 11:39

freitasm: As I said in my blog post, when I contacted Yahoo! to clarify the misinformation they claimed was going around during the first occurrence of this problem, they replied with this:

"It’s not appropriate to disclose that information as these details could be misused and may assist a hacker in the future."

So either they had no intention of fixing it, or had no idea what was happening and how to fix it, or something along these lines.

Security by obscurity doesn't work.

Telecom should clearly spell out in the contract the Yahoo! should get things fixed.

This feels very much like the problems with the new Telecom XT Network when it kept going down. Xtra have not taken a hard enough line (or can't) with Yahoo over this.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Lockedbag

7 posts

Wannabe Geek
+1 received by user: 4

#797062 10-Apr-2013 11:44

That login activity report is the bomb.......

Using the Login activity logs

Mine was 5.248.150.180 which resolved to Netherlands as the place. It was 1 minute before all my contacts got a nice spam attack with potential virus software links.

Some replied back to me asking if I think they need to loose weight, as they pressed on the link and got sent to a weight loss site. They might might find they start shedding some currency instead of weight!!!!

Good luck xtra/yahoo....I really hope you solve it, however reading though the forum. This attack seems to have some complexity.

Batman

Mad Scientist
30014 posts

Uber Geek
+1 received by user: 6217

Trusted

Lifetime subscriber

#797064 10-Apr-2013 11:49

if i never use my login could i have been hacked? if so they got my password from WHERE???

freitasm

BDFL - Memuneh
80657 posts

Uber Geek
+1 received by user: 41068

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#797066 10-Apr-2013 11:50

Previous discussions point to a cross site exploit. But we don't know for sure.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

networkn

Networkn
32871 posts

Uber Geek
+1 received by user: 15466

ID Verified

Trusted

Lifetime subscriber

#797067 10-Apr-2013 11:50

Lockedbag: That login activity report is the bomb.......

Using the Login activity logs

Mine was 5.248.150.180 which resolved to Netherlands as the place. It was 1 minute before all my contacts got a nice spam attack with potential virus software links.

Some replied back to me asking if I think they need to loose weight, as they pressed on the link and got sent to a weight loss site. They might might find they start shedding some currency instead of weight!!!!

Good luck xtra/yahoo....I really hope you solve it, however reading though the forum. This attack seems to have some complexity.

heh if money comes out of their wallet, indirectly they will weigh less so I guess the commerce commission couldn't have too much of an issue :)

Raikyn

189 posts

Master Geek
+1 received by user: 199

#797113 10-Apr-2013 12:38

Looks like my account was used yesterday to send spam.
I only knew that because it sent one out to my work email address.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

plambrechtsen

1948 posts

Uber Geek
+1 received by user: 459
Inactive user

#797120 10-Apr-2013 12:50

joker97: if i never use my login could i have been hacked? if so they got my password from WHERE???

Do you use an insecure password (something short with just a word). Or something with uppers, lowers and numbers.

I am right in the middle of this working directly with Yahoo, so can't comment on any further things.

But I can say that a number of geekzoners here have provided extremely useful information that has been fed directly back to Yahoo and is very much appreciated.

Raikyn

189 posts

Master Geek
+1 received by user: 199

#797127 10-Apr-2013 13:06

I sent through the log from yesterday.

Up till now I just was using the original password that telecom sent out when it was jetstream for broadband.
It was a word + number

mentalinc

3384 posts

Uber Geek
+1 received by user: 1023

Trusted

#797195 10-Apr-2013 14:53

Does anyone know what malware is installed when clicking on the link?

Looks like my dad clicked the link (don't even get me started) and was taken to some Chinese looking site.
He then noticed a large amount of his cap (cira 5GB) was used over a period of around 6 hours today.

Heading round tonight to try and clean it up but would help if there some a starting point of what to look for.

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

plambrechtsen

1948 posts

Uber Geek
+1 received by user: 459
Inactive user

#797201 10-Apr-2013 15:11

mentalinc: Does anyone know what malware is installed when clicking on the link?

Looks like my dad clicked the link (don't even get me started) and was taken to some Chinese looking site.
He then noticed a large amount of his cap (cira 5GB) was used over a period of around 6 hours today.

Heading round tonight to try and clean it up but would help if there some a starting point of what to look for.

Sorry I haven't done any investigation into the payload. There are a few different spam emails I have seen thus far.

The ones I first saw was just a weightloss site, but your one may be different and there could be the possibility that your email account has now been harvested for any useful information. If I could get a copy of the headers & payload URL that would be useful to ensure it's already been captured.

I would highly recommend running full anti-virus/malware, using "netstat -na" once all apps are shutdown to make sure it's not making any outbound connections and normal cleanup after the fact work.

1 | 2 | 3 | 4 | 5 | 6 | 7