Telecom to review its Xtra email service; Quin hints Yahoo could be dumped
UPDATE / Feb 12, 2.15pm: Telecom says it will review its email service to its broadband customers "following a series of issues which have impacted negatively on the Yahoo Xtra service over the past year."
The reveiw will take place over the next two months.
“We share the frustration that our customers have been experiencing over recent months. We fully appreciate that repeatedly saying ‘sorry’ doesn’t cut it anymore. We are committed to taking a close, hard look at the best way to meet our customers’ email needs,” Telecom Retail CEO Chris Quin says.
The review will be carried out in consultation with Yahoo.
“When Telecom outsourced the Xtra email service to Yahoo in 2007, it was the right thing to do at the time in terms of meeting our customers’ desire for an ongoing email service associated with their Telecom broadband account," the Telecom Retail boss says.
"However, the global email environment has changed markedly since then and we believe the time is right for a comprehensive review of our approach in this area.”
Mr Quin's language is diplomatic. But the bottom line is clearly that Yahoo could be dumped.
On this point, a rep for Mr Quin offered the gnomic: "The review will be comprehensive and cover all options as to what email services will be provided by Telecom to its customers and how those services might be provided."
Telecom owned 49% of YahooXtra at the time of the company's (rocky) switch to Yahoo email hosting in 1997 (a shift that took place soon after Telecom divorced itself from MSN, run by one-time Telecom shareholder Microsoft). The balance of YahooXtra was owned by Yahoo's Australian subsidiary, Yahoo7. Telecom sold its YahooXtra stake to Yahoo7 in 2011.
Alternatives are out there. Before its retail business was sold, Telecom's Australian subsidiary AAPT offered its customers Google Apps, which includes Gmail.
Beyond the problems of the past few days, Telecom customers have suffered multiple problems with the Yahoo Sydney-hosted Xtra email service - including a series of foul-ups in May and June last year. More recently, a problem with a cut submarine cable let to more email sending delays, and sniping between Telecom and Yahoo's bandwidth manager over who was to blame for a delay getting the news to customers.
LATEST - Yahoo NZ: Sorry
UPDATE / Feb 12: Telecom says ome customers are having trouble resetting their Xtra password due to overloading (password can be changed at www.telecom.co.nz/changepassword).
PC World has reported instances of PCs crashing when people use Telecom's password change tool, possibly because of a conflict with Symantec's Norton security software.
Telecom is investigating the issue.
UPDATE / Feb 11, 3pm: Telecom has finally conceded that problems with its Yahoo Xtra mail system are worse than it first said.
Previously the telco said mass spamming problems over the weekend, and into today, were caused by a phishing attack - or an attempt to use lure people into giving up logon and other personal details by sending them an email that looks like it's from a real organisation. People who were taken in had spam sent from their Xtra address to all their contacts.
This afternoon, Telecom said its investigations had led it to believe there was a second, related attack that compromised mail servers at Yahoo (which hosts Xtra mail from Sydney).
That ups the ante, says Institute of IT Professionals CEO Paul Matthews.
Reiterating points he first made to NBR yesterday, Mr Matthews explains the attack on Yahoo itself meant it wasn't just a case of everyone in a user's address book getting spammed, as in a common-or-garden phising attack (typically triggered by a user foolishly clicking on a malicious link in a fake email).
Rather, email accounts had been hijacked on Yahoo's mail server, and directly accessed peoples' Xtra mail. It also meant the attackers had potentially downloaded users' address books to target later. Or even their sent and received Xtra email.
"Yes it's a possibility but we’ve had no evidence that this has occurred," Telecom spokeswoman Joanne Jalfron told NBR ONLINE this afternoon. Telecom Retail CEO Chris Quin later added, "There is no proof, yet, but obviously it’s a concern and we’re working with Yahoo on that."
Telecom believes only an unspecified "small percentage" of its customers were affected.
The company says the Yahoo vulnerability has now been fixed. Affected customers are still advised to change their Xtra password at www.telecom.co.nz/changepassword.
But given that address books and sent and received Xtra emails may have already been, you could say the horse has already bolted.
Telecom's email partnership with Yahoo has brought several rounds of tears since its disastrous launch in 2007 (under then consumer division head Kevin Kenrick, recently appointed TVNZ CEO).
Some will be wondering whether it will be on new CEO Simon Moutter's hit-list when he unveils his strategic plan shortly.
ABOVE (click screenshot to enlarge): A gold example of the Yahoo Xtra email hack, and the way a user's mail account can be hijacked without them going anywhere near their inbox (as opposed to foolishly clicking on a malicious link to compromise themselves - although that techique is being to spread the Yahoo vulnerability). An NBR reader received the above email from the Xtra address of one Neal Nicholls. Keen readers will know the former Capital & Merchant Finance director is currently a guest of her Majesty. And, no, prisoners are not allowed email or internet access.
UPDATE / Feb 11, 2pm: Xtra's latest round of email problems are far worse than the common-or-garden "phishing" attack described by Telecom, a leading IT expert says.
Institute of IT Professionals CEO Paul Matthews says it is clear Yahoo's own security has been breached, resulting in a flood of spam messages over the weekend and continuing today.
"Phishing" attacks on Xtra and all email systems are common. Hackers send fake emails to thousands of addresses, hoping respondants will click on a malicious link.
"The institute has been notified by a number of members that Yahoo appears to have been the subject of a major cross-site scripting (XSS) attack in recent weeks which now appears to have been mutated to Xtra email over the weekend. Xtra mail is outsourced to Yahoo and a large number of Xtra customers appear to be affected," Mr Matthews says, elaborating on his comment after NBR ONLINE's initial story.
"The root issue was caused by a vulnerability on Yahoo’s network and the phishing is a side-issue," he says.
"Basically, it was being spread via an email getting people to click a link to a fake site. The email appeared to come from someone they knew, as they were in the sender’s address book, with a note saying 'take a look at this' or something similar.
"The link took them to a site that appeared to be a news story but in the background, exploited the Yahoo vulnerability to gain access to their Yahoo mailbox.
"Once it had control of the account it then appears to have sent itself to everyone in the victim’s address book.
"However, it’s quite possible they also downloaded the address book of every affected user and possibly all of their historic sent and received Xtra email, so things could get far, far worse, depending on what they decide to do with that if they have."
Disturbingly, Mr Matthews says Yahoo seems to have known about the vulnerability for some time.
"The fact that there was an XSS vulnerability at Yahoo has been known since at least November, when a hacker attempted to sell details of the vulnerability," the institute head says, citing a January report from security company BitDefender after a similar attack in Australia last month.
"So assuming this is the cause of the attack, it would appear to be due to a vulnerability at Yahoo and very difficult for users to avoid. This is a major attack and appears unrelated to any of the standard 'from Xtra account services' phishing emails which are regularly circulated."
A Telecom spokeswoman told NBR the company is seeking a further update from Yahoo.
NBR is also seeking comment from Yahoo.
UPDATE / Feb 11 2pm: Telecom is unsure how many customers had their email accounts compromised by a "phishing" message that slipped through the security screens of webmail partner Yahoo.
Those who clicked on the phishing email had their account hijacked by spammers, who used it to spray spam messages to the victim's contacts.
"Telecom has no way of knowing exactly how many customers were affected as many customers will have simply deleted suspicious emails but we had around 150 customer calls from those that had opened the email," spokeswoman Joanne Jalfon told NBR.
Ms Jalfon says the problem hit around 4pm Saturday. It was fixed Sunday morning, but some of those who got hit before the fix are still having problems. This morning, social networks were rife with people complaining they were still receiving junk messages from Yahoo users.
Yahoo Xtra customers who are still sending spam emails to their contacts should change their password.
"If any customers are experiencing on-going issues, we ask that they contact Telecom's Broadband Helpdesk on 0800 225 598," Ms Jalfon says.
The problem hit all local users of Yahoo's webmail, and by extension uses of Telecom's Xtra mail, which is hosted by Yahoo in Sydney.
Sun Feb 10: Telecom says a problem with Yahoo's mail service meant some customers receiving "phishing emails" - scam messages that would usually be blocked in most instances.
The problem was widespread with Yahoo and, by extension, those who use Telecom's Xtra web mail service, which is hosted by Yahoo's Sydney operation).
Phishing messages seek to fool a person into providing details such as their logon or password to a bank, usually by sending an email that apes a genuine message (typically, banks and others do not ask for personal details by email).
Some Telecom customers using Xtra mail have also noticed bounced emails, or strange messages sent to their contacts - a sign their account has been hijacked by spammers.
Yahoo fixed the problem this morning, Telecom says.
However, emails received before this morning should be treated with suspicion.
And hijacked users who have yet to change their password are still sending spam email to their contacts.
"If you have received any of these emails, we recommend that you delete these without opening them and under no circumstances should you reply to these emails with any log on, password or personal information," Telecom says.