Spark, formerly known as Telecom New Zealand, has revealed it was caught by a DNS amplification attack this weekend, and played down speculation that Kiwis got caught on "attractive click-bait" by cybercriminals.
On Monday morning, the company said in a statement that its customers fell victim to an amplified DNS attack that began on Friday night, subsided, and returned on Saturday morning, before disappearing on Sunday morning.
"While the Spark network did not crash, we did experience extremely high traffic loads hitting our DNS servers which meant many customers had either slow or at times no connectivity (as their requests were timing out)," Spark said. "There were multiple attacks, which were dynamic in nature."
The attack was originally thought to have stemmed from Spark customers falling foul of inadvertently installed malware, triggering bulk traffic to offshore sites, which overloaded the network. Initial speculation tied the malware to users looking for intimate celebrity photos, which included pictures of actress Jennifer Lawrence and singers Avril Lavigne and Rihanna, were stolen from a cloud storage system.
But today, another possible cause of the attack has been identified by Spark, with older and lower-end modems being accessed by hackers to bounce the DNS requests onto Spark's network.
"While we're not ruling out malware as a factor, we have also identified that cyber criminals have been accessing vulnerable customer modems on our network ... with the proliferation of devices in households, that means both the security within your device and the security of your modem," the company said.
The company said it was now scanning its entire broadband network to identify customers with modems that may be vulnerable.
"We have also taken steps at the network level to make it more difficult for cyber criminals to exploit the DNS open resolver modem vulnerability and we're using the latest technology to strengthen our network monitoring and management capabilities."
Users warned of iCloud breach risks
Computer security specialist Trend Micro issued an alert shortly before the attack on Spark began, warning users not to open the links related to the nude celebrities, AFP reported.
"The first threat we found hails from Twitter, in the form of a tweet being posted with hashtags that contain the name of one of the leak's victims — Jennifer Lawrence."
Trend Micro said users who clicked the link offering to show a video of the actress were directed to download a "video converter" that was actually malicious software.
Customers of Spark had problems browsing on broadband and mobile platforms for most of Saturday.
Staff worked through the night and the network appeared to be back to normal on Sunday, Spark communications head Conor Roberts said.
Some customers are still reporting problems, but these are "teething problems", he told NZ Newswire.
It is not possible to prevent another attack, the network said.
"Teams had put in place ways of managing further high volumes of traffic from this kind of thing, but this is a pretty dynamic environment," Roberts said.
"The point of attack might change in the future, and obviously we will work to reduce that when it does pop up again."
The affected computers have been removed from the network, and Spark is working with owners to ensure that they are properly protected before being reconnected.
People should ensure their virus protection and spyware is up to date, and shouldn't open any suspicious links, Roberts said.
"We acknowledge the impact on our customers ... and apologise to those people who were affected."
Some customers vented their frustration on Facebook, while others were more sympathetic about the issue.
Spark changed its name from Telecom in August, promising a new era for the telecommunications giant.
Update: Added Spark statement.