Telecom boss victim of email attack

CAUGHT OUT BY PHISHING: "I got [a] phishing email and stupidly opened it and sent it on to someone else too," Telecom chief executive Simon Moutter says.
CAUGHT OUT BY PHISHING: "I got [a] phishing email and stupidly opened it and sent it on to someone else too," Telecom chief executive Simon Moutter says.

Telecom chief executive Simon Moutter says his was one of more than 20,000 Xtra accounts compromised as a result of a security breach at outsourced email provider Yahoo.

Telecom said yesterday evening that only about 5000 victims from the two-stage attack had so far followed its advice to secure their accounts by changing their passwords.

"I got [a] phishing email and stupidly opened it and sent it on to someone else too," Moutter said.

He said that meant his email account was probably used to send out scam emails to contacts. It was "annoying" but he had managed to clean up his computer.

Moutter believed most customers would forgive Telecom for the malware epidemic, realising Yahoo was a "global email provider" and Telecom was not responsible for the original Yahoo security failure which opened the door to the attack.

Telecom has launched a review and there is speculation that might result in a mutual agreement between Telecom and Yahoo to part ways.

"We are clearly dissatisfied with the ongoing issues around email. We do not want to sit there and do nothing. We want a way forward," Moutter said.

Telecom said about 5 per cent of its 450,000 Xtra users had been victims, with their accounts being used to send out emails with links to malware infected websites  - probably mostly without their knowledge.

Yahoo had assured Telecom there was no evidence hackers had accessed victims' actual emails, though Telecom said it was investigating "customer feedback it has received in relation to such concerns". 

Retail boss Chris Quin said it had also been assured by Yahoo that people's accounts could not be used to send out scam emails once they had changed their password.

Telecom said it would contact the affected customers who had not yet changed their passwords. It would give them about 24 hours to follow its plain-text instructions on how to do so and, if they took no action, Telecom would then force them to change their password in order to next log into their email account.

"This process will be outlined in the email advice we are sending to our customers. However we think it’s much better for our customers to regularly manage their [passwords] and we urge them to make this change as soon as they receive our email advice,” Quin said.

There are concerns scammers could take advantage of any confusion by launching new attacks.

Telecom warned customers to delete any emails purportedly from the company or Yahoo that contained links to websites to change account details, as these would be new scams.

"Any email purporting to be from Telecom or Yahoo, that encourages customers to enter an embedded link and their password credentials should be regarded as suspicious and should be deleted."

The Institute of Information Technology Professionals, which initially helped draw attention to the seriousness of the attack, said hackers had probably managed to harvest the information needed to hack into Xtra accounts over a long period.

They appeared to have exploited a vulnerability in blogging software used by Yahoo developers and then tricked a proportion of Xtra customers into visiting websites that used the vulnerability to steal account-identifying information from "cookies" stored in users' browsers.

Compromised accounts were then used to send out emails to other internet users that roped them into the scam. They did that by encouraging recipients  - such as Moutter - to click on links to websites that also exposed them to the vulnerability and that potentially hosted other malware.

The information needed to carry out the initial attack on Yahoo had been bought by hackers through an online forum for "just $700", the institute said.

Contact Tom Pullar-Strecker
Technology reporter
Twitter: @PullarStrecker

The Dominion Post