Spammers stole Yahoo Xtra contact lists: exec

Powered by SC Magazine
 

Users smashed.

Yahoo's Xtra email service has been raided by attackers who appear to have stolen address book contacts, spamming scores of New Zealand customers in what could be one of the biggest attacks of its kind in the country.

The attackers are suspected to have exploited a vulnerability within the company's network to gain access to the user contact details of the NZ-based service.

The company said the hole has now been closed. Spokeswoman Joanne Jalfon told NBR online it was a "possibility" that address books were stolen but said the company "had no evidence that this has occurred".

But retail chief executive Chris Quin told 3News a spammer had 'got into Yahoo and distributed a phishing email across a number of contacts in that customer base,' which was then distributing itself through users' contact emails.

The company did not respond to further requests for comment.

Institute of IT Professionals chief executive Paul Matthews told NBR it was clear Yahoo's security had been breached.

"The institute has been notified by a number of members that Yahoo appears to have been the subject of a major cross-site scripting (XSS) attack in recent weeks which now appears to have been mutated to Xtra email over the weekend," Matthews said.

"A phishing link took them to a site that appeared to be a news story but in the background, exploited the Yahoo vulnerability to gain access to their Yahoo mailbox.

"Once it had control of the account it then appears to have sent itself to everyone in the victim’s address book."

He said it was "quite possible" attackers downloaded contact lists of all victim users.

If contact lists were stolen, the spam surge could continue. 

"There's not a lot that Yahoo can do if that's the case," HackLabs director Chris Gatford said.

"They could put additional spam filtering on accounts, or perhaps filter out spamming accounts. You would think they would have the tech in place."

Angry users took to internet forums and social media to vent anger at the spam surge with some claiming to still be receiving the emails despite Yahoo announcing it had fixed the problem.

Yahoo earlier this month patched a Document Object Model (DOM)-based cross-site scripting (XSS) vulnerability that was capable of running in multiple browsers once Yahoo Mail users open spammed malicious links.

Copyright © SC Magazine, Australia


Spammers stole Yahoo Xtra contact lists: exec
 
 
 
Top Stories
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
A call for timely reporting
[Blog post] Businesses need incentives to keep customer data secure.
 
Doubts cast on Queensland's ICT Dashboard
Opposition, former Govt CIO say it can't be trusted.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  26%
 
Application integration concerns
  3%
 
Security and compliance concerns
  29%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  5%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 853

Vote