Ever since Gizmodo broke the news about that iPhone 4G that was left in a bar, it seems everyone wants to know more about the next generation Jesus Phone from Apple. But at what price?

How does free grab you? Well that’s the promise that’s been spotted by security experts Sophos appearing in both Twitter and email-based spam scams. An email is doing the rounds which offers the (un)lucky recipients the opportunity to test and ultimately keep an iPhone 4G. This despite the fact that it has yet to be released, and Apple has yet to officially say anything about it other than ‘give us our prototype back’ either. The scam, of course, being that anyone wanting to sign up for the free testing deal has to hand over personal information in order to do so and the spam is really just a clever phishing exercise.

The Twitter scam is equally sinister, using the accounts of apparently sexy young women to offer free iPhone 4G handsets for users who click on a promotional link. A link that, of course, takes them to a personal data harvesting website.

As Graham Cluley of Sophos says “some internet users might blindly hand over their personal information in the belief that they will get a preview version of what will be one of 2010’s hottest gadgets”. I’d take issue with that statement, in that there is no ‘might’ about it and some users will, for sure, do just that. Be it as a result of living in a freebie society where people happily expect to get something for nothing, or maybe it’s the effect of junk food on the brain, but there are certainly plenty of people who will fall for this scam.

While I don’t imagine for a minute that the average IT Pro reader falls into this bracket, it might be worth letting your friends and family know that the price of an iPhone 4G right now is just too high to be worth risking that mouse click upon.

I was watching an episode of Embarrassing Bodies on Sky+ the other night, you know the one where the unfeasible buff Doctor with the really bad taste in shirts takes great delight in examining folk with truly disgusting things wrong with them. I have yet to understand how someone who has not gone to see his GP with that hugely swollen and oddly coloured testicle because he is ‘too embarrassed’ will happily drop his trousers and reveal the thing to millions in TV land. Then again I don’t understand how so many people cannot use condoms when the levels of sexually transmitted disease are on the rise, if you’ll please excuse the pun, across the UK.

I mention all of this for a couple of reasons which do, if you’ll just bear with me a moment longer, have some bearing on the culture of technology. Firstly, Embarrassing Bodies is what I’d classify as car crash TV: the people it features have things that are so grossly and disgustingly wrong with them that you cannot help but sneak a peek while thanking the deity of your choice it isn’t you. Admit it, you laugh when an old lady falls over in the street, you rubber neck when driving past a motorway pile up and you cannot help but watch a TV show where some fat bloke is revealing his bunch of grapes sized hemorrhoids to the nation.

I’d like to add something tech to my list of car-crash stuff, namely Internet security statistics. You know, the quarterly and yearly ‘Internet Threat’ reports that reveal the ongoing trends regarding how the bad guys are screwing us over at this particular point in time. Car crash because I’m not sure I need a report to tell me that spam is on the up, or the bad guys are making ‘loadsa money’ and yet another botnet has gone ballistic. Yet I cannot help but read them, not only that but go through them with a fine toothcomb looking for the juiciest statistics to pull out and make me feel worse about my chosen pet industry, IT security.

Which brings me to the second reason I’ve been banging on about Embarrassing Bodies, namely sexually transmitted infections. You see the latest Internet Threats Trend Report for Q1 2010 to be published by Commtouch Lab has revealed that not only do sites in the sex education categories top those (along with games) most likely to be hosting hidden phishing pages, but rather worryingly that pornography has ousted business as the web site category whose pages are most infected with malware.

So there you have it, just like in the real world the online world now has sexually transmitted infections. Luckily, just like in the real world, they can be prevented by taking precautions such as wearing a condom (using antivirus and security software) and thinking twice before getting down with something dirty.

Welcome to my oddest headline since I suggested Vista added to the global warming problem. Bear with me and I’ll explain the connection between the data thieves and carbon emissions.

As you are probably aware, the world of greenhouse gas, carbon emissions and global warming is a highly politicised and highly complex one. One of the ways that those companies which pollute the most are encouraged to reduce their carbon emissions is the good old bribery option, formally known as an economic incentive I do believe but we all know what they mean really. Anyway, these bribes, sorry I mean incentives, operate by a limit being set on the pollution level that is allowed and those companies being issued with emission permits. The companies also get an equivalent number of ‘emission credits’ that give them the authority to pollute to that level.

Which is where it starts to get interesting, as companies are not allowed to go over the cap set by the allowances and credits that they hold. Unless they buy more credits that is, and they can do this as companies which pollute less than their caps are able to sell their excess credits. Still with me, good. The idea is that the seller is being rewarded for lower emissions while the buyer is being penalised for higher emissions, and to oversee the exchange of these carbon credits there are trading registries.

And that’s where the phisher connection comes in.

According to the BBC this international carbon trading market has suffered at the hands of the bad guys, no not the highly polluting companies but rather the conmen and phishing gangs. Apparently some 250,000 carbon permits were stolen this week, with a market value in excess of 3 million Euros. Trading registries in a number of EU countries were forced to close down as a direct result, albeit temporarily.

It seems that the phishers created fake emissions registries and then emailed thousands of companies across Australia, New Zealand, Germany and Norway in order to fool them into handing over the registration details needed for the fraudsters to steal their emissions permits. Enough companies did just that for the scam to be successful.

Phil D’Angio, director and online security expert at VeriSign, told me “It’s no surprise that fraudsters targeted the lucrative business of emissions trading. Phishing scams are most often seen targeting consumers, requesting banking customers to reconfirm account information for example. However, the concept is always the same. People are duped into entering sensitive data into fraudulent sites, resulting in them or their companies losing money or crucial information.”

And how has this contributed to global warming? Well according to several reports, and common sense for that matter, the scam and subsequent closure of registries and exchanges has hampered trading in carbon credits. And trading in carbon credits is mostly agreed to be a pretty important part of the drive to slow down climate change, ipso facto online crime is making global warming worse.

Without wishing to dismiss the importance of this too much, but at the same time attempting to swing the story back around to the enterprise, the moral of this should be that phishing gangs do not just target the consumer. Sure, that is the all too readily accepted assumption in the enterprise, and many CIOs and those responsible for information security at board level will dismiss the notion that the enterprise is at risk as a result. This particular attack shows that criminal gangs target whoever and whatever can make them a return, and that includes your business. Education, or perhaps I should say re-education, at all levels from workers to directors is required to prevent people falling for this kind of ‘for security reasons you need to re-register your details’ scam.

I’ve been all over the Johnny Depp is NOT dead story this weekend like a nasty rash. Seriously, how this could have spread quite so quickly is beyond me. It has run broad as well as deep, which is unusual for a Twitter hoax. However, it does serve to demonstrate not only how important Twitter is becoming as a breaking news source but also how badly things can go wrong if you treat Twitter Trending Topics as gospel instead of Chinese Whispers.

It only took me a few minutes of Googling to dig up the fact that the supposed car crash was actually an old hoax resurrected from 2004, and it wasn’t a very good one back then to be honest. The lazy hoaxer just pasted an image over an existing CNN news story page but couldn’t be arsed to remove the original text. So one minute it was talking about Depp in an alcohol fuelled death crash and the next about some British Navy types having a lucky escape from a caving accident. Sigh.

Sure, I had the advantage of being an online news guy so am blessed with one of those ‘I’ve heard that somewhere before’ kind of memories which comes with the territory. So when my wife woke me up and was all “the man I love is dead” on my ass I knew it was a hoax. Obviously I also knew my marriage was not, perhaps, as secure as I had thought but that’s another story.

What else I knew, once I’d done my investigating and written it up in the forlorn hope it might help stem the tide of misinformed tweets (it didn’t) was that it wouldn’t be long before the RIP Johnny Depp malware hit the web. Another forlorn hope that a security journalist warning the public to be alert might stop link clicking idiots doing just that. Still, the news stories went out yesterday.

Today the inevitable has happened and Graham Cluley over at Sophos has the video evidence of malware scammers using the web to direct people expecting to find video footage and news of the Johnny Depp death crash to something even nastier. Part of me wants to say that look, if you are searching for video footage of a celebrity perishing in a car crash then you deserve everything the malware scumbags throw at you. But then again, I’ve seen how devoted Depp fans react to the news that their idol may be dead (waves at wife across the office) and know that logic can often be thrown out of the window in an attempt to get at the truth.

To save you the trouble, here is the truth:

Depp did not die in a car crash in 2004 or 2010 and there is no video footage as a result.

Twitter should not be treated like News at Ten, but more as a load of people down the pub - and you wouldn’t necessarily believe Bob at eleven when he tells you that Gordon Brown has resigned over a sex scandal and he knows it is true because Fred told him and he heard it from the barman. Would you?

It used to be the case that the word ‘hijack’ immediately drummed up visions of terrorists and airplanes, special service soldiers storming in with machine guns blazing. That sort of thing. The truth today is a lot less exciting, but still rather dangerous. When I hear the word hijack I think of spam.

Either of the sort that scumbags use when latching on to the important story of the day, and hijack that news to spread spam and malware such as has been doing the rounds most recently with the Haiti earthquake.

Alternatively, and proving to be even more problematical, is spam that contains a hijacked IP. Symantec warns that this kind of hijacked spam which is also known as ‘dotted quad’ has risen significantly in the last month.

Indeed, one December attack alone on Christmas Eve at 2pm apparently resulted in a quarter of the world’s spam containing hijacked IPs. Blimey! Symantec reports that this type of spam has increased three fold when compared to rates during November 2009.

This shouldn’t be a problem, to be honest, but unfortunately while the online world continues to be populated by link clicking idiots it will be.

I was surprised to discover that only 85% of folk happily click on anything that appears to have a well known brand behind. In these celebrity obsessed times where brand is everything, I expected a higher figure.

When Symantec sent me the results of its research, carried out by YouGov, it said that this indicated “the sophisticated methods used by cybercriminals to steal sensitive or personal information” but I take issue with that. It indicates to me that the bad guys are not stupid, but they know that the majority of the web using public are heading into that territory and if we are being generous can be classified as naive at best.

Whenever I suggest such a thing, often accompanied by a headline such as ‘link-clicking idiots‘ the hate mail comes thick and fast. Yet how else would you explain, this far into the broadband revolution, the findings of the survey that reveal only 15% of us would not click on images or adverts “without a second thought” exploiting trusted and well known brands as well celebrity worship?

It seems that security education is getting through on some fronts, as 43% of those polled denied ever opening spam email with the same content. OK, maybe not getting through that far as the 43% actually claim not to open those spam emails if they do not come with any images attached. Doh!

The survey looked in depth at how people interacted with adverts, images and unsolicited emails. At the same time as claiming not to open those unsolicited emails, 5% admitted that they would click on images from banks, while 16% said they would do the same for music stores and 21% if a social networking site was thought to be behind it.

“Cybercriminals are always on the lookout for new ways to make money. A current and successful tactic is by exploiting the public’s trust and familiarity in a particular brand or piece of celebrity news and using this trust to gain access to their computer” said Orla Cox, Security Response Manager for Symantec who continued “often criminals will use imagery in spam emails, or in advertisements that look genuine but either automatically load malware simply when a person visits that Web page, or download malware should you click on them”.

Of course, as I have explained before right here at IT Pro, it is possible to turn things around and make decommissioned malware and phishing links work in a positive way as far as security is concerned.

When it comes to phishing sites there are two universal truths: people click on the links because they are lacking in IT security smarts, and the fake sites themselves get decommissioned very quickly indeed. So why not exploit the latter to educate the former? That’s the rather ingenious game plan being deployed by the Anti-Phishing Working Group.

The APWG is a global pan-industrial and law enforcement association focused on eliminating fraud and identity theft resulting from phishing, pharming and email spoofing of all types. Now the APWG Internet Policy Committee along with the Carnegie Mellon Cylab Usable Privacy and Security Laboratory have developed a scheme which aims to educate consumers at the most teachable moment of all: when they have literally just clicked on a link in a phishing message.

The APWG/CUPS Phishing Education Landing Page Program is a real-time counter-eCrime education system designed to instruct consumers the moment they’ve been pulled into a phishing scam by redirecting them away from the (by now decommissioned) phishing website they have clicked through to and instead taking them to an educational security page that warns of the dangers they would have faced and instructs them on how best not to get caught out in the future.

Phishing sites don’t tend to be live for very long. Security companies are good at spotting them quickly, and the phishing gangs have enough street smarts to not hang around long enough for law enforcement to be able to catch them. The phishing spams linking to those sites often remain in circulation long after the sites themselves have been decommissioned. So it makes good sense to put them to some positive use. The APWG is therefore asking ISPs, domain registrars and the like to get the spoofed company or brand to approve redirection of those links to the educational page and then do the necessary technical wizardry to make the redirect work.

You can see the Phishing Education Landing Page for yourself right here.

“Our research has shown that most Internet users don`t know very much about online scams and don`t realize that there are some simple things they can do to protect themselves,” said Dr. Lorrie Cranor, an associate professor of computer science and engineering & public policy at Carnegie Mellon and director of the CyLab Usable Privacy and Security Laboratory. “People aren’t interested in computer safety courses. But we’ve demonstrated that users are receptive to on-line safety instruction immediately after they fall for a phishing attack and they tend to remember this instruction.”

With some 12% of the UK population falling victim to online fraud within the last 12 months alone, I guess it should come as no surprise that as far as the online version goes crime does pay. The extent to which is pays, of course, is another thing altogether. New research from YouGov and VeriSign (commissioned to launch the VeriSign UK Fraud Index) suggests that the average cost per victim of online ID fraud is £463. If you are one of those who have been mugged in this manner, I feel for you - unless you have acted like some greedy village idiot in which case consider it an expensive but effective lesson in trust.

Truth be told, less than £500 per person on average doesn’t sound too frightening. I imagine that, like the three people I randomly asked about the survey this morning, you thought that victims of Nigerian 419 and Canadian Lottery scams got fleeced for thousands at a pop. But remember these are averages we are talking about, and quite apart from the highs and lows of such math, you also need to take into account the huge numbers of people concerned. Multiply the average by millions, because that’s what we are talking about here, and the figures start to get very worrying indeed.

The survey shows that in the last 12 months some £2.61 billion was stolen online from UK consumers. This despite 82% of them claiming to only buy from sites with enhanced security settings. Obviously they are not doing enough checking, and not applying enough common sense to avoid being defrauded though.

It also revels that only 5% of 18-24 year olds have been defrauded, suggesting that younger folk are not only more street-wise but also more web-wise. People aged 45-54, however, are defrauded the most with some 14% claiming to have fallen victim to online ID fraud.

Looked at from a geographical perspective, it is Londoners who are most careless when it comes to buying stuff online with 18% of them saying they just don’t bother checking site security settings before purchasing. That compares to just 9% in Northern Ireland, for example, who ranks as the safest. Welsh folk are the biggest victims of online fraud, however, with some 20% percent stating that they had experienced ID fraud in the last year, while only 8% of Scots said the same.

“Research reveals that there isn’t a relationship between the number of people who check a website’s security and those who have been scammed” Martin Mackay, VeriSign’s vice president of EMEA reckons. “There are still too many out there who simply don’t know the danger signs to look for when buying online. We’re committed to measuring fraud in the UK to raise awareness of this issue, and promise to educate the public with regular campaigns on what they should be looking for before buying online.”

No, seriously, please stop. Yes, you. New research suggests that one in every six people click on spam. I don’t, and I’ve asked the four other people in the office if they do and they say no as well. So it must be you.

According to the Messaging Anti-Abuse Working Group (MAAWG) the people who do click are doing so because they are “curious” although I prefer to think of them as just being morons. It does not take a genius to work out that the more spam gets those click-throughs then the more spam will be churned out, often directly to the link-clicking morons in question. It only requires a small spark of common sense to realise that the same spam links can often lead to more than just an offer of some fake Viagra, and the curious clicker gets added to a botnet for good measure.

Yet the MAAWG survey results suggest that 80 percent of users doubt their computers were at risk of bot infection. Morons. Especially when the security industry is, with alarming regularity, revealing exactly how much of the spam that we get is actually being distributed by spambots. MessageLabs Intelligence, for example, recently stated that the Donbot, Cutwail and Mega-D botnets were sending up to 21 billion spam messages each day.

Disturbingly, two-thirds of the consumers surveyed considered themselves “very” or “somewhat” knowledgeable in Internet security.

“Spamming has morphed from an isolated hacker playing with some code into a well-developed underground economy that feeds off reputable users’ machines to avoid detection. Consumers shouldn’t be afraid to use email, but they need to be computer smart and learn how to avoid these problems” said MAAWG Chair Michael O’Reirdan.

The complete 60-page survey report, “A Look at Consumers’ Awareness of Email Security and Practices or ‘Of Course I Never Reply to Spam, Except Sometimes’” includes graphs, detailed findings and analysis, and it’s downloadable from MAAWG free of charge.

That’s the allegation being made by New York Attorney General Andrew Cuomo as he served the social networking site Tagged.com with a notice of intent to sue over charges that it has sent spam emails which, in effect, stole identities from as many as 60 million of its users.

Cuomo has previously taken on the task of banishing child pornography from the Internet and is now, it would seem, turning his attention to spam and identity theft. In his notice of intent, Cuomo suggests that Tagged.com used an illegal spamming campaign in order to increase the traffic to its site and add millions of new users in the process.

He stated that Tagged.com had stolen “the address books and identities of millions of people” and as a result consumers had suffered by having their privacy invaded and being “forced into the embarrassing position of having to apologize to all their e-mail contacts.”

With some 80 million users, Tagged.com would seem to be a pretty successful social networking site that is only beaten by Facebook and MySpace on the membership numbers front. But Cuomo accuses it of tricking many of them into allowing access to their email contacts which were then spammed with promotional mail that appeared to come from the original user, who would have been known to the recipient of course. These messages suggested that someone had posted a private photo of friends online, when in fact no such photo existed according to Cuomo. Any attempt to access the photos which did not exist led to people having to sign up and become members of Tagged.com

Tagged CEO, Greg Tseng, has responded by way of blog postings in which he admits to being “dismayed” that Cuomo has issued an “inaccurate and inflammatory accusation” which, Tseng suggests, can only mean “they have not carefully reviewed the facts.”

Specifically, Tseng insists that Tagged has not raided email address books or spammed millions. He states that the ‘invite your friends practice’ has been “standard practice among all top social networks for over five years” and to compare it to spam and identity theft “generates unnecessary alarm among consumers.”

Tseng says that “Tagged users are given clear notice at every step of the registration process, if they choose to import and invite their contacts they must affirmatively enter their email password and are able to choose which contacts they do not wish to invite before any email invitations are sent from Tagged on their behalf.”

However, he does admit that Tagged began testing a new Tags photo-sharing feature based registration process in June which led to some members complaining that they had “inadvertently elected to send invitations to all the contacts they had uploaded.” Tseng insists that it learned from this feedback that it was too easy for people to unintentionally invite their friends to join them on Tagged and so stopped using that process.

Tseng is confident that once all the facts are reviewed the Attorney General will be able to “resolve this matter amicably” adding that “we realize that some were confused and accidentally agreed to invite their friends. We are truly sorry for any inconvenience or frustration that these people experienced.”