There are many reasons why I hate the World Cup: it’s football (and not the proper Rugby Union kind either) and it’s totally inescapable. The media seems to assume that everyone is interested in which bunch of seriously overpaid egos can kick a ball around the least worse, so TV schedules are rejigged around the matches and newspapers stuffed full of any vaguely football related news, including the wives, girlfriends and no doubt labradoodles as well.

But perhaps the main reason I hate the World Cup right now is the sheer amount of spam and malware it has created. According to the latest MessageLabs Intelligence Report from Symantec Hosted Services, a whopping 25 percent of all global spam is currently related to the World Cup.

OK, so it is nothing new for the spammers and scammers to latch on to current events in order to peddle their murky trade, but when analysis reveals that 25 percent of spam includes keywords related to football you know things have reached a new low.

If that is not bad enough, MessageLabs Intelligence also intercepted a run of some 45 targeted malware emails earlier this month, all aimed at Brazilian companies and designed to rely on social engineering tactics and World Cup excitement to compromise corporate systems. using a dual attack mode approach, both PDF attachments and malicious links were included in order to double the chance of success: think about it, if the AV scanner removes the infected PDF attachment but then forwards the apparently cleansed message complete with a malicious link the recipient is much more likely to consider it as trusted.

“Right now, spammers are reliant on the massive wave of excitement and expectation that typically surrounds an event like the FIFA World Cup” says MessageLabs Intelligence Senior Analyst, Paul Wood. “Riding this wave, spammers get the attention of their victims by offering products for sale or enticing them to click on a link. It is not uncommon for the event to appear in the subject line of an email but for the body of the same email to be completely unrelated”.

With England playing so badly that the team is not likely to progress much further you may have thought the fuss would die down and the spam problem go away equally quickly, however the tournament will continue with or without England and so will the opportunity to spam us. Anyway, Wimbledon tennis has started now as well, which is yet another excuse for the bad guys to grab us by the balls.

Game, set and match to the spammers it seems…

Ever since Gizmodo broke the news about that iPhone 4G that was left in a bar, it seems everyone wants to know more about the next generation Jesus Phone from Apple. But at what price?

How does free grab you? Well that’s the promise that’s been spotted by security experts Sophos appearing in both Twitter and email-based spam scams. An email is doing the rounds which offers the (un)lucky recipients the opportunity to test and ultimately keep an iPhone 4G. This despite the fact that it has yet to be released, and Apple has yet to officially say anything about it other than ‘give us our prototype back’ either. The scam, of course, being that anyone wanting to sign up for the free testing deal has to hand over personal information in order to do so and the spam is really just a clever phishing exercise.

The Twitter scam is equally sinister, using the accounts of apparently sexy young women to offer free iPhone 4G handsets for users who click on a promotional link. A link that, of course, takes them to a personal data harvesting website.

As Graham Cluley of Sophos says “some internet users might blindly hand over their personal information in the belief that they will get a preview version of what will be one of 2010’s hottest gadgets”. I’d take issue with that statement, in that there is no ‘might’ about it and some users will, for sure, do just that. Be it as a result of living in a freebie society where people happily expect to get something for nothing, or maybe it’s the effect of junk food on the brain, but there are certainly plenty of people who will fall for this scam.

While I don’t imagine for a minute that the average IT Pro reader falls into this bracket, it might be worth letting your friends and family know that the price of an iPhone 4G right now is just too high to be worth risking that mouse click upon.

I was watching an episode of Embarrassing Bodies on Sky+ the other night, you know the one where the unfeasible buff Doctor with the really bad taste in shirts takes great delight in examining folk with truly disgusting things wrong with them. I have yet to understand how someone who has not gone to see his GP with that hugely swollen and oddly coloured testicle because he is ‘too embarrassed’ will happily drop his trousers and reveal the thing to millions in TV land. Then again I don’t understand how so many people cannot use condoms when the levels of sexually transmitted disease are on the rise, if you’ll please excuse the pun, across the UK.

I mention all of this for a couple of reasons which do, if you’ll just bear with me a moment longer, have some bearing on the culture of technology. Firstly, Embarrassing Bodies is what I’d classify as car crash TV: the people it features have things that are so grossly and disgustingly wrong with them that you cannot help but sneak a peek while thanking the deity of your choice it isn’t you. Admit it, you laugh when an old lady falls over in the street, you rubber neck when driving past a motorway pile up and you cannot help but watch a TV show where some fat bloke is revealing his bunch of grapes sized hemorrhoids to the nation.

I’d like to add something tech to my list of car-crash stuff, namely Internet security statistics. You know, the quarterly and yearly ‘Internet Threat’ reports that reveal the ongoing trends regarding how the bad guys are screwing us over at this particular point in time. Car crash because I’m not sure I need a report to tell me that spam is on the up, or the bad guys are making ‘loadsa money’ and yet another botnet has gone ballistic. Yet I cannot help but read them, not only that but go through them with a fine toothcomb looking for the juiciest statistics to pull out and make me feel worse about my chosen pet industry, IT security.

Which brings me to the second reason I’ve been banging on about Embarrassing Bodies, namely sexually transmitted infections. You see the latest Internet Threats Trend Report for Q1 2010 to be published by Commtouch Lab has revealed that not only do sites in the sex education categories top those (along with games) most likely to be hosting hidden phishing pages, but rather worryingly that pornography has ousted business as the web site category whose pages are most infected with malware.

So there you have it, just like in the real world the online world now has sexually transmitted infections. Luckily, just like in the real world, they can be prevented by taking precautions such as wearing a condom (using antivirus and security software) and thinking twice before getting down with something dirty.

I’ve been all over the Johnny Depp is NOT dead story this weekend like a nasty rash. Seriously, how this could have spread quite so quickly is beyond me. It has run broad as well as deep, which is unusual for a Twitter hoax. However, it does serve to demonstrate not only how important Twitter is becoming as a breaking news source but also how badly things can go wrong if you treat Twitter Trending Topics as gospel instead of Chinese Whispers.

It only took me a few minutes of Googling to dig up the fact that the supposed car crash was actually an old hoax resurrected from 2004, and it wasn’t a very good one back then to be honest. The lazy hoaxer just pasted an image over an existing CNN news story page but couldn’t be arsed to remove the original text. So one minute it was talking about Depp in an alcohol fuelled death crash and the next about some British Navy types having a lucky escape from a caving accident. Sigh.

Sure, I had the advantage of being an online news guy so am blessed with one of those ‘I’ve heard that somewhere before’ kind of memories which comes with the territory. So when my wife woke me up and was all “the man I love is dead” on my ass I knew it was a hoax. Obviously I also knew my marriage was not, perhaps, as secure as I had thought but that’s another story.

What else I knew, once I’d done my investigating and written it up in the forlorn hope it might help stem the tide of misinformed tweets (it didn’t) was that it wouldn’t be long before the RIP Johnny Depp malware hit the web. Another forlorn hope that a security journalist warning the public to be alert might stop link clicking idiots doing just that. Still, the news stories went out yesterday.

Today the inevitable has happened and Graham Cluley over at Sophos has the video evidence of malware scammers using the web to direct people expecting to find video footage and news of the Johnny Depp death crash to something even nastier. Part of me wants to say that look, if you are searching for video footage of a celebrity perishing in a car crash then you deserve everything the malware scumbags throw at you. But then again, I’ve seen how devoted Depp fans react to the news that their idol may be dead (waves at wife across the office) and know that logic can often be thrown out of the window in an attempt to get at the truth.

To save you the trouble, here is the truth:

Depp did not die in a car crash in 2004 or 2010 and there is no video footage as a result.

Twitter should not be treated like News at Ten, but more as a load of people down the pub - and you wouldn’t necessarily believe Bob at eleven when he tells you that Gordon Brown has resigned over a sex scandal and he knows it is true because Fred told him and he heard it from the barman. Would you?

It used to be the case that the word ‘hijack’ immediately drummed up visions of terrorists and airplanes, special service soldiers storming in with machine guns blazing. That sort of thing. The truth today is a lot less exciting, but still rather dangerous. When I hear the word hijack I think of spam.

Either of the sort that scumbags use when latching on to the important story of the day, and hijack that news to spread spam and malware such as has been doing the rounds most recently with the Haiti earthquake.

Alternatively, and proving to be even more problematical, is spam that contains a hijacked IP. Symantec warns that this kind of hijacked spam which is also known as ‘dotted quad’ has risen significantly in the last month.

Indeed, one December attack alone on Christmas Eve at 2pm apparently resulted in a quarter of the world’s spam containing hijacked IPs. Blimey! Symantec reports that this type of spam has increased three fold when compared to rates during November 2009.

This shouldn’t be a problem, to be honest, but unfortunately while the online world continues to be populated by link clicking idiots it will be.

I was surprised to discover that only 85% of folk happily click on anything that appears to have a well known brand behind. In these celebrity obsessed times where brand is everything, I expected a higher figure.

When Symantec sent me the results of its research, carried out by YouGov, it said that this indicated “the sophisticated methods used by cybercriminals to steal sensitive or personal information” but I take issue with that. It indicates to me that the bad guys are not stupid, but they know that the majority of the web using public are heading into that territory and if we are being generous can be classified as naive at best.

Whenever I suggest such a thing, often accompanied by a headline such as ‘link-clicking idiots‘ the hate mail comes thick and fast. Yet how else would you explain, this far into the broadband revolution, the findings of the survey that reveal only 15% of us would not click on images or adverts “without a second thought” exploiting trusted and well known brands as well celebrity worship?

It seems that security education is getting through on some fronts, as 43% of those polled denied ever opening spam email with the same content. OK, maybe not getting through that far as the 43% actually claim not to open those spam emails if they do not come with any images attached. Doh!

The survey looked in depth at how people interacted with adverts, images and unsolicited emails. At the same time as claiming not to open those unsolicited emails, 5% admitted that they would click on images from banks, while 16% said they would do the same for music stores and 21% if a social networking site was thought to be behind it.

“Cybercriminals are always on the lookout for new ways to make money. A current and successful tactic is by exploiting the public’s trust and familiarity in a particular brand or piece of celebrity news and using this trust to gain access to their computer” said Orla Cox, Security Response Manager for Symantec who continued “often criminals will use imagery in spam emails, or in advertisements that look genuine but either automatically load malware simply when a person visits that Web page, or download malware should you click on them”.

Of course, as I have explained before right here at IT Pro, it is possible to turn things around and make decommissioned malware and phishing links work in a positive way as far as security is concerned.

When it comes to phishing sites there are two universal truths: people click on the links because they are lacking in IT security smarts, and the fake sites themselves get decommissioned very quickly indeed. So why not exploit the latter to educate the former? That’s the rather ingenious game plan being deployed by the Anti-Phishing Working Group.

The APWG is a global pan-industrial and law enforcement association focused on eliminating fraud and identity theft resulting from phishing, pharming and email spoofing of all types. Now the APWG Internet Policy Committee along with the Carnegie Mellon Cylab Usable Privacy and Security Laboratory have developed a scheme which aims to educate consumers at the most teachable moment of all: when they have literally just clicked on a link in a phishing message.

The APWG/CUPS Phishing Education Landing Page Program is a real-time counter-eCrime education system designed to instruct consumers the moment they’ve been pulled into a phishing scam by redirecting them away from the (by now decommissioned) phishing website they have clicked through to and instead taking them to an educational security page that warns of the dangers they would have faced and instructs them on how best not to get caught out in the future.

Phishing sites don’t tend to be live for very long. Security companies are good at spotting them quickly, and the phishing gangs have enough street smarts to not hang around long enough for law enforcement to be able to catch them. The phishing spams linking to those sites often remain in circulation long after the sites themselves have been decommissioned. So it makes good sense to put them to some positive use. The APWG is therefore asking ISPs, domain registrars and the like to get the spoofed company or brand to approve redirection of those links to the educational page and then do the necessary technical wizardry to make the redirect work.

You can see the Phishing Education Landing Page for yourself right here.

“Our research has shown that most Internet users don`t know very much about online scams and don`t realize that there are some simple things they can do to protect themselves,” said Dr. Lorrie Cranor, an associate professor of computer science and engineering & public policy at Carnegie Mellon and director of the CyLab Usable Privacy and Security Laboratory. “People aren’t interested in computer safety courses. But we’ve demonstrated that users are receptive to on-line safety instruction immediately after they fall for a phishing attack and they tend to remember this instruction.”

Just when you thought spam volumes couldn’t really get much worse, comes the news that one of the frontline defences against spambots has been compromised by a rather clever decoding Trojan.

According to researchers at Webroot the Trojan makes use of components found in commercial optical character recognition software in order to decode Captcha sentries which do a pretty decent job of keeping the bots out of webmail and forum services while letting the real human beings in. At least of late, software has had something of a problem in unjumbling the images of text used by these ‘Completely Automated Public Turing Test To Tell Computers and Humans Apart’ systems. Heck, even I have trouble in getting it right on occasion, and I am a real human being, albeit one with eyes that are not as young as they used to be.

Sure, this is not the first time that Captcha has been cracked, Hotmail (which is having something of a security crisis right now) fell victim to spammer gang hacking attention earlier in the year. I wrote a piece on IT Pro called Hotmail CAPTCHA: cracked in 20 seconds at the time.

But this time it’s different, this time it’s a Trojan using clever technology to accomplish a cunning goal. You’d never guess, but the Webroot folk reckon its main purpose “appears to be to fill out contest entries, online polls, and other forms relating to marketing campaigns”. It uses the OCR side of things to get past the Captcha and submit the forms.

So why should we worry about this? Mainly as it seems the tool itself is something of a corker, designed in China and capable bypassing over 30 different captcha systems. Simples. Which means that spammers are going to be making a lot of use of the thing before very long. Especially Chinese spammers, one has to assume.

The Trojan itself appears capable of filling in forms at the rate of one every 15 minutes, not amazingly fast but seeing as it can also monitor active pages and steal passwords and shopping form contents, it is worrying enough methinks.

So what are the people behind it up to? Webroot researchers think it’s currently something of a product test combined with a cheeky and greedy attempt to win prizes offered by the online survey outfits.

If Benjamin Franklin were alive today I’m pretty sure he would amend his famous “…in this world nothing is certain but death and taxes” line to include botnets. Every single day, some 150 billion spam messages are distributed by botnets and, like death and taxes, no matter how hard we try nothing seems to be able to prevent botnet growth. Well, almost nothing.

With botnets now being responsible for some 88% of all global spam by volume, and the computers of those unsuspecting folk which contribute to the botnet collectives being at risk of an assortment of auxiliary security and privacy compromises, something has to be done. That much is obvious. According to the latest Symantec MessageLabs Intelligence Report, that something has been the closure of hosting outfits that it describes as ‘rogue Internet Service Providers’ such as McColo, PriceWert and Real Host. These closures came after a four month investigation by the Washington Post which forced the suppliers of their connectivity to take action.

At the time of the McColo takedown, late in 2008, the impact was felt almost immediately. IT Pro reported how during the first 12 hours following the pulling of the plug, spam volumes dropped by as much as 70%, and how those spam volumes remained low for a few weeks. However, within a month security researchers were seeing a steady climb in spam activity as the botnets found new homes for their command and control centres. By the start of this year, Mega-D had come back from the dead and was responsible for around half of all the spam flowing through security honeypots. Other botnet brands, if you can call them that, such as Cutwail and Srizbi have also hit that 50% figure at their peak.

But, as the new Symantec MessageLabs report reveals, botnet trends come and go like the seasons. Srizbi has vanished from the spamming scene entirely it would appear, and Mega-D has been shrinking in size so rapidly that it is now only one tenth as big as it was in June in terms of compromised computers. That does not mean that Mega-D is no longer a player, of course, in fact it is putting the bots it does have left to work at a far harder pace and is churning out spam at a rate per minute that can only be beaten by a relative newcomer called Bobax. depending on your point of view Bobax either sounds like a cuddly teddy bear or a nasty disease. I favour the latter, especially when the spam output per compromised computer is claimed to be the highest that MessageLabs has ever seen. Currently, Bobax is responsible for some 15.7% of all global spam by volume. That still falls short of another new name, Grum, which is apparently churning out 23% of global spam right now, having ramped up the output per bot significantly since the summer.

The largest botnet if measured by the number of compromised computers under its direct control would have to be Rustock, claiming anything up to 1.9 such PCs. In sheer botnet size terms it has grown to double what it was at the start of the summer. Yet in terms of actual spam output it is struggling against the competition. Researchers insist that what sets Rustock apart from the rest is the ‘highly automated cycle of spamming activity’ it displays, with spam output accelerating from 8am (GMT) and peaking at noon. The newest of the major botnets to watch is Maazben, a casino only spammer at the moment but one which is growing at a rapid rate (up from 0.5% of global spam to 1.4% in just a few weeks) recently without increasing the spam output. This suggests it could be getting ready for a move into other spamming markets soon.

“Over the past year, we have seen a number of ISP’s taken offline for hosting botnet activity resulting in a case of sink or swim and an ensuing shift in botnet power,” said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec. “This has undermined the power of the more dominant botnets like Cutwail and cleared the way for new botnets like Maazben to emerge. However, this won’t always be the case as botnet technology has also evolved since the end of 2008 and the most recent ISP closures now have less of an impact on resulting activity as downtime now only lasts a few hours rather than weeks or months as before.”

With some 12% of the UK population falling victim to online fraud within the last 12 months alone, I guess it should come as no surprise that as far as the online version goes crime does pay. The extent to which is pays, of course, is another thing altogether. New research from YouGov and VeriSign (commissioned to launch the VeriSign UK Fraud Index) suggests that the average cost per victim of online ID fraud is £463. If you are one of those who have been mugged in this manner, I feel for you - unless you have acted like some greedy village idiot in which case consider it an expensive but effective lesson in trust.

Truth be told, less than £500 per person on average doesn’t sound too frightening. I imagine that, like the three people I randomly asked about the survey this morning, you thought that victims of Nigerian 419 and Canadian Lottery scams got fleeced for thousands at a pop. But remember these are averages we are talking about, and quite apart from the highs and lows of such math, you also need to take into account the huge numbers of people concerned. Multiply the average by millions, because that’s what we are talking about here, and the figures start to get very worrying indeed.

The survey shows that in the last 12 months some £2.61 billion was stolen online from UK consumers. This despite 82% of them claiming to only buy from sites with enhanced security settings. Obviously they are not doing enough checking, and not applying enough common sense to avoid being defrauded though.

It also revels that only 5% of 18-24 year olds have been defrauded, suggesting that younger folk are not only more street-wise but also more web-wise. People aged 45-54, however, are defrauded the most with some 14% claiming to have fallen victim to online ID fraud.

Looked at from a geographical perspective, it is Londoners who are most careless when it comes to buying stuff online with 18% of them saying they just don’t bother checking site security settings before purchasing. That compares to just 9% in Northern Ireland, for example, who ranks as the safest. Welsh folk are the biggest victims of online fraud, however, with some 20% percent stating that they had experienced ID fraud in the last year, while only 8% of Scots said the same.

“Research reveals that there isn’t a relationship between the number of people who check a website’s security and those who have been scammed” Martin Mackay, VeriSign’s vice president of EMEA reckons. “There are still too many out there who simply don’t know the danger signs to look for when buying online. We’re committed to measuring fraud in the UK to raise awareness of this issue, and promise to educate the public with regular campaigns on what they should be looking for before buying online.”