We've been getting submissions about an uptick in compromised Gmail accounts in the last few days, but nothing that could be substantiated. Robert McMillan did a bit of digging and now reports in PC World that "Google is investigating a growing number of reports that hackers are breaking into legitimate Gmail accounts and then using them to send spam messages. The problem started about a week ago but seems to have escalated over the past few days. ... [I]n forum posts, Gmail users note that the hackers appear to be sending spam via Gmail's mobile interface — which gives mobile-phone users a way to check their Gmail accounts — and wonder if there may be a bug in the mobile interface that is allowing criminals to send the spam. ... Google says there's no Gmail bug. ... 'Spammers may sometimes use a mobile interface to access accounts they have already compromised because it's simpler for bots to use this method at large scale.'" Here's how to tell if your Gmail account has been accessed by bad guys, and what to do about it.

Stoobalou writes "Not content with its iPhone scoop, Gizmodo has probably ruined the career of a young engineer. The tech blog last night exposed the name of the hapless Apple employee who had one German beer too many and left a prototype iPhone G4 in a California bar some 20 miles from Apple's Infinite Loop campus. Was that really necessary?" It also came out that they paid $5K for the leaked prototype and that Apple wants it back.

Krebsonsecurity.com has a writeup on the decision of UK anti-fraud activist site bobbear.co.uk to retire from the fray. The 66-year-old fraud fighter said he was getting too old for the work, which takes him about 15 hours a day. "We had so many messages of thanks, and congratulations on the site, but it is so stressful and takes so much out of you, and there is always the worry of litigation hanging over your head." "The owner and curator of bobbear.co.uk, a site that specializes in exposing Internet fraud scams and phantom online companies, announced Saturday that he will be shuttering the site at the end of April. Bobbear and its companion site bobbear.com are creations of [the pseudonomous] Bob Harrison, a 66-year-old UK resident who for the last four years has tirelessly chronicled and exposed a myriad of fraud and scam Web sites. The sites, which are well-indexed by Google and other search engines and receive about 2,000 hits per day, often are among the first results returned in a search for the names of fly-by-night corporations advertised in spam and aimed at swindling the unsuspecting or duping the unwitting." Any ideas on who might want to take over the domains and carry on the work would be appreciated by the Internet community at large.

alphadogg writes "Despite security researchers' efforts to cut spam down to size, it just keeps growing back. The volume of unsolicited email in the first quarter was around 6 percent higher than a year earlier, according to Google's e-mail filtering division Postini. Security researchers have won a few significant battles against the spammers in the last year, first against those hosting the spammers' control systems, and later against the control systems themselves, but they will have to change tactics again if they want to win the war. In the first half of last year, security researchers concentrated their efforts on identifying the ISPs or hosting companies that allowed command-and-control servers to operate, and shutting these botnet purveyors down. The success of that tactic was short-lived, however."

Zarrot writes "In the next step for their Free 2 Play model, Turbine Entertainment, publisher of Dungeon and Dragons: Online, Lord of the Rings: Online, and Asheron's Call, has partnered with notorious 'lead generation company' SuperRewards. Initial testing by forum users shows that just accessing the page without clicking on any offers sends the user's email and game login in clear text to SuperRewards. Reports of new spam and fresh malware infections on test systems are already being reported on the company's forums. Is the Zynga business model the future of Internet gaming?"

An anonymous reader writes "Apple's recent decision to restrict the languages that may be used for iPhone and iPad development has provoked some invective from Adobe's platform evangelist Lee Brimelow. He writes on TheFlashBlog, 'This has nothing to do whatsoever with bringing the Flash player to Apple's devices. That is a separate discussion entirely. What they are saying is that they won't allow applications onto their marketplace solely because of what language was originally used to create them. This is a frightening move that has no rational defense other than wanting tyrannical control over developers and more importantly, wanting to use developers as pawns in their crusade against Adobe. This does not just affect Adobe but also other technologies like Unity3D.' He ends his post with, 'Speaking purely for myself, I would look to make it clear what is going through my mind at the moment. Go screw yourself Apple. Comments disabled as I'm not interested in hearing from the Cupertino Comment SPAM bots.'"

eldavojohn writes "TV pitchman Kevin Trudeau was sentenced to 30 days in jail because he urged his fans and followers to spam a judge. Apparently the judge (who was deluged with emails) decided that this was an act of contempt of court on the court's 'virtual presence' since nothing happened while the court was in session in regards to Trudeau's courtroom behavior. US Marshals are now trudging through those emails to decide if any are threatening."

An anonymous reader writes "A proposal to let Internet service providers conceal the contact information for their business customers is drawing fire from a number of experts in the security community, who say the change will make it harder to mitigate the threat from spam and malicious software, according to a story at Krebsonsecurity.com. From the piece: 'The American Registry for Internet Numbers (ARIN) — one of five regional registries worldwide that is responsible for allocating blocks of Internet addresses — later this month will consider a proposal to ease rules that require ISPs to publish address and phone number information for their business customers. Proponents of the plan couch it in terms of property rights and privacy, but critics say it will only lead to litigation and confusion, while aiding spammers and other shady actors who obtain blocks of addresses by posing as legitimate businesses.'"

This weekend saw the delivery of iPads into hundreds of thousands of filthy hands. I managed to get my hands on a 32GB unit and put it through its paces for a battery charge and a half, and wanted to take a few minutes to share some notes with you. But if you don't care to read the whole review, let me give you a hint: I am typing this review on my laptop.

Wolf pointed me to a video clip demonstrating this game: "Miegakure is a platform game where you explore the fourth dimension to solve puzzles. There is no trick; the game is entirely designed and programmed in 4D." Nothing to download yet.

An anonymous reader writes "Even though over 80% of email users are aware of the existence of bots, tens of millions respond to spam in ways that could leave them vulnerable to a malware infection, according to a Messaging Anti-Abuse Working Group (MAAWG) survey. In the survey, half of users said they had opened spam, clicked on a link in spam, opened a spam attachment, replied or forwarded it — activities that leave consumers susceptible to fraud, phishing, identity theft, and infection. While most consumers said they were aware of the existence of bots, only one-third believed they were vulnerable to an infection."

www.sorehands.com writes "In the first case brought by a spam recipient to actually go to trial in California, the Superior Court of California held that people who receive false and deceptive spam emails are entitled to liquidated damages of $1,000 per email under California Business & Professions Code Section 17529.5. In the California Superior Court ruling (PDF), Judge Marie S. Weiner made many references to the fact that Defendants used anonymous domain name registration and used unregistered business names in her ruling. This is different from the Gordon case, where one only had to perform a simple whois lookup to identify the sender; here, Defendants used 'from' lines of 'Paid Survey' and 'Your Promotion' with anonymously registered domain names. Judge Weiner's decision makes it clear that the California law is not preempted by the I CAN-SPAM Act. This has been determined in a few prior cases, including my own. (See http://www.barbieslapp.com/spam for some of those cases.)"

Trailrunner7 writes "After Microsoft's actions to take down the Waledac botnet last month, there was some question about whether the operation was much more than a grab for headlines that would have little effect on actual spam levels or malware infections. But more than three weeks after the takedown, researchers say that Waledac has essentially ceased communications and its spam operations have dropped to near zero. One researcher said that Waledac now seems to be abandoned. 'It looks crippled, if not dead,' said Jose Nazario, a senior security researcher at Arbor Networks."

Trailrunner7 writes "Robert Hansen, a security researcher and CEO of SecTheory, has been gleaning intelligence from professional attackers in recent months, having a series of off-the-record conversations with spammers and malicious hackers in an effort to gain insight into their tactics, mindset and motivation. 'He's not the type to hack randomly, he's only interested in targeted attacks with big payouts. Well, the more I thought about it the more I thought that this is a very solvable problem for bad guys. There are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.' Hansen's solution to the hacker's problem provides a glimpse into a business model we might see in the not-too-distant future. It's an evolutionary version of the botnet-for-hire or malware-as-a-service model that's taken off in recent years. In Hansen's model, an attacker looking to infiltrate a specific network would not spend weeks throwing resources against machines in that network, looking for a weak spot and potentially raising the suspicion of the company's security team. Instead, he would contact a botmaster and give him a laundry list of the machines or IP addresses he's interested in compromising. If the botmaster already has his hooks into the network, the customer could then buy access directly into the network rather than spending his own time and resources trying to get in."

52-year-old Anthony Digati was arrested for trying to extort $200,000 from an insurance firm by threatening to spam them with six million emails unless they paid up. Digati said he would use a spam service and his amazing talents as a "huge social networker" to drag the company "through the muddiest waters imaginable" and presumably unfriend everyone. He added that the price would increase to $3 million if they failed to pay up by Monday, according to federal authorities.

Frequent Slashdot contributor Bennett Haselton contributes the following piece on trying to get some measure of satisfaction in the struggle against pop-up ads, writing "The most annoying thing about some pop-up ads, is that you have no way of knowing which ad-serving network served them or who the responsible parties are. Could we reduce the incidence of illegal or deceptive pop-up ads, by giving users an easier way to trace their origin and figure out where to send complaints? Here's one way to do it with a simple right-click." Read on for the rest.

snydeq writes "A new breed of 'spear phishing' aimed at IT admins is making the rounds. The emails, containing no obvious malicious links, are fooling even the savviest of users into opening up holes in their company's network defenses. The authentic-looking emails, which often include the admin's complete name or refer to a real project they are working on, are the product of tactical research or database hacks and appear as if having been sent by the company's hosting provider. 'In each case, the victim remembered getting a similar sort of email message when they first signed on with a service and, thus, thought the bogus message was legitimate — especially because their cloud/hosting providers keep bragging about all the new data centers they're continuing to bring online.' The phishing messages often include instructions for opening up mail servers to enable spam relaying, to disable their host-based firewalls, and to open up unprotected network shares. Certainly fodder for some bone-headed mistakes on the part of admins, the new attack 'makes the old days of hoax messages that caused users to delete legitimate operating system files seem relatively harmless.'"

Spamresource.com has up a piece describing a new service that could be useful in evaluating the reputation of sites you deal with — anonwhois.org returns information on domains registered anonymously. It provides a DNSBL-style service that "is not a blacklist and wasn't meant to be used for outright rejection of mail." Only 619,000 domains are listed so far, but more are added as they are queried, so the database will grow more complete. Anonwhois.org seems to be a sister site to Spam Eating Monkey.

marpot writes "In an effort to assist Wikipedia's editors in their struggle to keep articles clean, we are conducting a public lab on vandalism detection. The goal is the development of a practical vandalism detector that is capable of telling apart ill-intentioned edits from well-intentioned edits. Such a tool, which will work somewhat like a spam detector, will release the crowd's workforce currently occupied with manual and semi-automatic edit filtering. The performance of submitted detectors will be evaluated based on a large collection of human-annotated edits, which has been crowdsourced using Amazon's Mechanical Turk. Everyone is welcome to participate."

Barence writes "Microsoft has quietly won court approval to deactivate 277 domain names that are being used to control a vast network of infected PCs. The notorious Waledac botnet is being used by Eastern European spammers to send 1.5 billion spam messages every day, and infect hundreds of thousands of machines with malware. In a suit filed in the US District Court of Eastern Virginia, Microsoft accused 27 unnamed defendants of violating federal computer crime laws. It further requested that domain registrar Verisign temporarily deactivate the domains, shutting down the control servers being used to send commands to the machines. The request was secretly approved by District Judge Leonie Brinkema, allowing the action to be taken covertly, preventing Waledac's operators from switching domains."