Xtra email accounts compromised
Telecom's account of why many YahooXtra email accounts were compromised over the weekend is "demonstrably false", the chief executive of Institute of Information Technology Professionals claims.
Telecom said neither it nor its outsourced email provider YahooXtra were responsible for a massive malware attack on Kiwi internet users that began over the weekend.
Many internet users have received rogue emails from friends and colleagues who are YahooXtra customers, containing links to websites that are designed to infect their computers with malware.
Telecom said a sophisticated phishing attack on its customers, rather than any breach of YahooXtra's own security, appeared to be responsible.
But IITP boss Paul Matthews said Yahoo had been subject to a well-documented attack. "There is no doubt whatsoever [attackers] are using actual contact details from Xtra email accounts."
Telecommunications Users Association chief executive Paul Brislen said a "significant" number of YahooXtra customers - possibly in the thousands - appeared to have had their computers compromised.
Brislen said Telecom's explanation appeared unlikely as the victims included many professionals who he would not normally expect to fall for phishing scams.
Telecom spokeswoman Jo Jalfon remained adamant its information was that a phishing attack was to blame, but said it was seeking an "urgent update" from Yahoo to double-check that, in the wake of Matthews' comments . She pointed the finger in the direction of a scam that was also reported to have affected Google, the world's largest email provider, and which was outlined in a Whaleoil blog.
The perpetrators of that scam appeared to be able to "guess" email addresses that might be known to others and included them in the "To" field of the phishing emails - making it more likely recipients would trust and open them.
That malware attack had "organised crime written all over it", according to the blog, and appeared designed to steal people's credit card details.
Jalfon said it did not know how many customers been affected. It advised those who had to change their Xtra passwords.
Matthews said the institute was aware Yahoo had been subject to a major cross-site scripting (XSS) attack over the last few weeks which it said had been patched a few days ago.
"We've received notes from many of our members who have encountered this and the subsequent Xtra issues on client sites.
"Given the nature of these emails - sent indisputably to Xtra contact lists, in some cases to people who haven't been in contact for a long time and others very recently - it's highly likely that either the issue wasn't patched successfully, a new attack vector has been found or more likely, contact lists have been harvested during the initial attack to enable this secondary attack on Xtra email holders.
"According to security sources, this original attack appears to have been due to a vulnerability in the Yahoo Developers Network, due to blog software that hadn't been updated for at least nine months. The fact that there was an XSS vulnerability at Yahoo has been known since at least November," he said.
"So assuming this is the cause of the attack, it would appear to be due to a vulnerability at Yahoo and very difficult for users to avoid. This is a major attack and appears unrelated to any of the standard 'from Xtra account services' phishing emails which are regularly circulated."
One victim, YahooXtra customer Michael Beckett, said scam emails were sent from his email address while his computer was turned off and he was out on a boat.
"I went to change my password, but that kept on crashing and when I went to delete my contact lists - which is what the hack had programmed their malware to exploit - I couldn't delete the addresses."