Spammers stole Yahoo Xtra contact lists: exec

Powered by SC Magazine
 

Users smashed.

Yahoo's Xtra email service has been raided by attackers who appear to have stolen address book contacts, spamming scores of New Zealand customers in what could be one of the biggest attacks of its kind in the country.

The attackers are suspected to have exploited a vulnerability within the company's network to gain access to the user contact details of the NZ-based service.

The company said the hole has now been closed. Spokeswoman Joanne Jalfon told NBR online it was a "possibility" that address books were stolen but said the company "had no evidence that this has occurred".

But retail chief executive Chris Quin told 3News a spammer had 'got into Yahoo and distributed a phishing email across a number of contacts in that customer base,' which was then distributing itself through users' contact emails.

The company did not respond to further requests for comment.

Institute of IT Professionals chief executive Paul Matthews told NBR it was clear Yahoo's security had been breached.

"The institute has been notified by a number of members that Yahoo appears to have been the subject of a major cross-site scripting (XSS) attack in recent weeks which now appears to have been mutated to Xtra email over the weekend," Matthews said.

"A phishing link took them to a site that appeared to be a news story but in the background, exploited the Yahoo vulnerability to gain access to their Yahoo mailbox.

"Once it had control of the account it then appears to have sent itself to everyone in the victim’s address book."

He said it was "quite possible" attackers downloaded contact lists of all victim users.

If contact lists were stolen, the spam surge could continue. 

"There's not a lot that Yahoo can do if that's the case," HackLabs director Chris Gatford said.

"They could put additional spam filtering on accounts, or perhaps filter out spamming accounts. You would think they would have the tech in place."

Angry users took to internet forums and social media to vent anger at the spam surge with some claiming to still be receiving the emails despite Yahoo announcing it had fixed the problem.

Yahoo earlier this month patched a Document Object Model (DOM)-based cross-site scripting (XSS) vulnerability that was capable of running in multiple browsers once Yahoo Mail users open spammed malicious links.

Copyright © SC Magazine, Australia


Spammers stole Yahoo Xtra contact lists: exec
 
 
 
Top Stories
Innovating in the sleepy super industry
There’s little incentive to be on the bleeding edge, so why is Andrew Todd fighting so hard?
 
How technology will unify Toll
The systems headache formed through 15 years of acquisitions.
 
Immigration breached Privacy Act with data leak
Pilgrim slams "copy and paste" of asylum seeker data.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  7%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 816

Vote