Spam attack 'worse than admitted'

The YahooXtra email service is the victim of two separate, but potentially related "malicious" attacks, Telecom has said.

The security breach, which began on Saturday morning, saw emails sent to everyone on users' contact lists, asking them to click on a link directing them to an online advertisement.

Telecom responded in a statement issued this afternoon, saying the attacks were believed to have similarly affected other Yahoo mail users using Yahoo servers.

The first attack was a phishing attempt, Telecom said, where some customers received emails purportedly from people they knew containing a link to a suspicious website.

Clicking on the link sent similar emails to certain contact on their address lists.

The second attack has compromised the security of some customers, making it possible for emails to be sent from their accounts without their knowledge, the statement said.

Telecom said while it was difficult to know how many accounts had been affected, they believed it was a "small percentage" of the total customer base.

They did not offer any additional advice to earlier warnings for victims to change their passwords.

Telecom's CEO retail Chris Quin said while Yahoo's security was "sophisticated", no system was 100 per cent bullet proof.

".. As we have seen from this incident, cyber-attacks by global criminals are becoming increasingly sophisticated.

"We are currently working with Yahoo! to investigate further. We would like to apologise to all our customers for any distress or inconvenience caused and assure them that we are doing all we can, in conjunction with Yahoo!, to resolve this incident."

Despite claims that a "small percentage" had been affected, YahooXtra customers have been saying that the spam issue plaguing their mailboxes is worse than the email service is admitting - and it's still happening, despite assurances it had been fixed.

Telecom, which uses Yahoo as its email provider, initially attributed the breach to a "suspected phishing issue"- a tactic used by scammers to extract confidential information like passwords and credit card details.

The company said they were told early yesterday that the issue had been resolved, but customers told the Herald the problem was far from over.

Elizabeth Simm said she was horrified to see that the spam emails had gone out to everyone she had ever sent an email to.

"I thought I had a bug in my system, so spent about three hours phoning and texting family and friends advising them not to open anything from me with nothing in the 'subject' line."

Ms Simm was frustrated that there was no mention of the problem on the Xtra website.

"Why were we not advised, which could have been done so quickly and easily?"

Another reader said spam was even sent from her account to a contact that had died months ago.

Carl Black wrote in to dispute Telecom's claims that customers must have clicked a link.

"I got spam from my dead brother's account. He obviously hasn't been clicking any links, and for Telecom to blame him for this is just insulting."

Yahoo Xtra customer Peter Fowler said he did not believe Telecom was being "honest"about the cause.

Telecom's explanation that it was the customer clicking on the link that sent the spam made him look "stupid"in the eyes of the 175 people on his contact list, he said.

"I did not click on any link and in fact hadn't used the account for about a month.

"Talking to the help desk in the Philippines last night, I got the impression someone had hacked into Yahoo/Telecom servers and were generating the spam from within the Telecom/Yahoo servers. There is no other explanation for how the spammers managed to get access to all the contacts in my address book."

Fowler said he had since closed his Yahoo account.

Another Xtra user, Alex Munroe, also expressed concern over the magnitude of the problem.

"I think 'hundreds' is being a little conservative. I think the article should read 'hundreds of thousands' or possibly 'millions' considering Xtra is NZ's biggest internet service provider. Xtra was caught napping.

"This mass spam attack over the weekend has affected friends and family of mine worldwide."

And the breach was not limited to existing contacts, she said.

"I am a TradeMe seller and when I went into my Yahoo account address list yesterday I was shocked to see the number of unknown addresses in my contacts list. I realised many of them were people I have traded with on TradeMe in the past couple of years."

Munroe said Yahoo automatically inserted the addresses into the contact list at the end of a successful auction, extending the spam's reach.

Another user complained that his Xtra Webmail account had been hacked after a year of inactivity.

"If the excuse Telecom (is) using is true, that wouldn't be possible," he said.

Other users said the issue was still ongoing today, despite being told it was over.

"I agree with Peter - I also did not click on any suspicious link - these emails just started turning up using my contacts that have Xtra email addresses - tell the truth Telecom!" said Kevin Wike.

"I have received [approximately] a dozen emails from different clients in the past two days - this cannot be a phishing attack - it appears to be an attack directly on the data held by Yahoo Xtra," said Chris Grenfell.

Others said the problem wasn't new.

"It was actually a Yahoo vulnerability that has been doing the rounds for a few weeks, but seems to have jumped over to Xtra (who outsource their email to Yahoo)," wrote Luke Healy.

"Apparently it's fixed now, although it's quite likely that whoever did it kept copies of all your contacts and will keep spamming them in your name."

Ray Eyre said he had even begun to receive email spam from his own account.

"The spam from my own address must be generated on the telecom/yahoo server as there is no other way it can happen."

He said he had queried Telecom a number of times over the amount of spam and had been "fobbed off"each time. He was considering dropping Telecom as his internet service provider.

Telecom spokeswoman Jo Jalfon said the problem began on Saturday afternoon.

"Despite the huge focus Yahoo! puts on email security, spammers are internationally becoming increasingly savvy," Ms Jalfon said.

"Telecom advises its customers to routinely change their password to further reduce the risk of their email account being compromised in any way."

A recorded message from Xtra said the problem had been fixed.

Contact list crock

I don't keep a contact list on Yahoo, yet it managed to send out on my behalf.   

I suspect that this goes way more than contact list harvesting to full blown folder harvesting.  You only have to search online to see: 'Yahoo! Mail Extract Email Addresses Software 7.0' where you get to select the folder to extract from to a text file or comma deliminated file.

I downloaded it straight from the Yahoo Downloads and had a good look at it,  funny perhaps those who hack yahoo/xtra have played with a sophisticated big brother to this.  All you need by the looks is the user name and password to all their accounts, and open slather to everyones emails stored on their system.

Imagine the playground if it is harvesting directly from everyone's emails.

no link clicked

Same. I hadn't used my yahool account for about six mongths and believed I had de-activated it. Nor did I clink on any link.

Yet spam links went from my old yahoo email address to everyone on the contact list.

ODT/directory - Local Businesses

CompanyLocationBusiness Type
Dog Whisperer ServicesDunedinPets & Pet Accessories
Kitchen ThingsDunedinAppliances
Wayne Sizemore PlumbersDunedinPlumbers
SeniorNet Dunedin Inc.DunedinComputer Services