How to keep yourself safe from hackers
Kiwis have been stung by a spam tsunami after hackers gained access to more than 20,000 YahooXtra email accounts.
So what happened - and how can you protect yourself in the future?
Hackers gained access to YahooXtra's email service and sent spam emails - possibly hundreds of thousands - from more than 20,000 YahooXtra users' accounts to people in their contact lists.
Telecom initially blamed users for falling victim to a phishing attack (more on those later). It said further scams had sprung up since the attack was revealed, with scammers calling customers and offering to help them change their email passwords.
YahooXtra and Telecom have yet to detail exactly how the attack happened, but Paul Matthews, chief executive of the Institute of IT Professionals, says it appears the hackers were able to exploit a well-known vulnerability in Yahoo's blog software that meant they could gain login cookies from YahooXtra email users.
Login cookies are files that contain your login details for online services such as email and are stored by your computer's web browser, so a service remembers you as you use the site.
Matthews says some cookies are temporary and are deleted when you end your browser session, but others are more permanent. For example, if you click the "remember me" option so a service remembers your login details, then that will be stored in a "persistent" rather than temporary cookie.
To gain the login cookies, the hackers first needed users to visit a third-party website loaded with a script that could copy them. YahooXtra users were sent emails with links to a site and once they clicked on the link unwittingly handed over their login cookies to the hackers due to the vulnerability at Yahoo. It's unlikely the hackers could see the user's password though.
Once the hackers had the login cookies they could access email accounts and steal contacts' details, and send the email with the link on, harvesting more email addresses from YahooXtra users.
Matthews says last weekend's attacks on YahooXtra and other email users appear to have been designed to steal credit card details from unsuspecting people rather than harvest further email addresses from YahooXtra users. He believes the hackers probably sent out a normal "spam dump" email with a link to the site. Once the first few users had fallen for it, the list of compromised accounts would have grown exponentially.
MORE SOPHISTICATED SCAMS LIKELY
Yahoo says it has fixed the original vulnerability, but Matthews says the damage has been done and the hackers could well launch further attacks.
He is concerned by reports that email details for contacts were not stripped from the YahooXtra user's contacts list, but from their actual emails. This means that hackers potentially have a record of all mail sent and received by affected users.
This allows a more sophisticated level of scam, he says, because if hackers know who you email they can exploit your relationships. For example, they could send an email from your account to a friend's asking for money, perhaps to sponsor "your running race", by making a credit card payment - through a genuine-looking but dodgy site.
WHAT CAN YOU DO?
Matthews says there is little YahooXtra users could have done to avoid the attack, as they could not have expected that clicking on a link would hand over their email accounts to hackers.
❏ Telecom is urging YahooXtra users to change their email passwords to stop malicious emails being sent from compromised accounts. Use a mix of numbers, letters (upper and lower case) and symbols.
❏ Matthews recommends that if you suspect you've been targeted by a similar attack go straight to your email account and log out, as this cuts access to your account.
❏ Always log out of your account after checking your email, don't just close the browser window.
❏ Don't click "remember me" or similar buttons to save your login details. It's a bit more of hassle to log in each time you want to email - but it's safer.
❏ Exercise a little suspicion when clicking on a link, particularly if it's a link in an otherwise blank email, or the message seems generic, slightly weird and/or has spelling and grammar errors. Hadyn Green, technology writer at Consumer NZ, says there's no harm in emailing a contact back to check they sent the email.
Phishing is an attempt to get computer users to disclose sensitive personal data such as email addresses, passwords or internet banking information by entering their details into fake sites that look like the real thing.
Phishing attacks are usually carried out by email, but can be attempted by phone or text. Targets are typically sent a link to a site and asked to log in or enter their details. The scammers often provide a seemingly good reason for doing so, including security upgrades, system maintenance, or even to give you a refund.
THWARTING A PHISHING ATTACK
❏ Don't enter your details into a website unless you are sure it is genuine. The Ministry of Consumer Affairs says a telltale sign of a dodgy site is often a slightly weird URL address, such as www.bank.co.nz.log107.biz, rather than the normal www.bank.co.nz
❏ Never visit your bank, email or other important site by clicking on a supplied link. Type in the website address instead.
❏ Don't reply to, click on any links, or contact any email addresses or phone numbers in spam emails. Delete them (to properly delete an email you'll need to first highlight it and click delete, or if it's already open just click delete, and then go to your Delete or Trash folder and delete it again).
❏ Banks will never ask for your account, password or pin over the phone, in person or in an email.
❏ If you have fallen victim to a phishing attack, change your password as soon as possible.
❏ If you've given away banking details, call your bank straight away to let them know.
❏ If you've given away your email login details, email your contacts to let them know and warn them not to click on suspicious links.
Sources: Paul Matthews, Consumer NZ, Ministry of Consumer Affairs, Fairfax NZ, Telecom.