Thieving Third-Party Gmail App Highlights Google Security Worries

A .Net programmer finds G-Archiver steals users' Gmail login details, adding to a growing number of security incidents.
In its 2008 Annual Google Communications Intelligence Report, issued last week, Google said that spam and viruses reached a record level in 2007. "In 2007, Postini's data centers recorded the highest levels of spam and virus attacks in history," the report said. "While overall e-mail message volume per user grew 47% in 2007 over the prior year, spam volume was up 57% in the same time period, according to Postini's data center research." Google acquired Postini last year.

In a report published in February, Google engineers Niels Provos and Panayiotis Mavrommatis, along with two Johns Hopkins University computer scientists, Moheeb Abu Rajab and Fabian Monrose, said that 1.3% of search queries returned at least one link to malicious online content. The paper concludes by calling for "more elaborate defense mechanisms to curtail this rapidly increasing threat."

Spammers may have found a way to bypass Google's Gmail CATPCHA image test, which is used to prevent automated account creation for spamming. MessageLabs, a message security company, notes that "the proportion of spam from Gmail increased two-fold from 1.3% in January to 2.6% in February, mainly promoting adult-oriented Web sites."

A Google spokesperson said that Google's security team continues to believe that Gmail spam accounts are being created manually rather than through automated CAPTCHA cracking. Google's investigation of this is ongoing. The company did acknowledge that Gmail spam is a problem. "Fighting spam is a never-ending battle," a Google spokesperson said via e-mail. "Using Gmail to send spam is a violation of the Program Policies in our Terms of Service. We disabled these accounts immediately and will continue to do so if they spread."

Yahoo Mail is the most frequently abused Web mail service, according to MessageLabs, accounting for 88.7% of all Web mail-based spam. Yahoo Mail and Hotmail CAPTCHAs were broken in July 2007, MessageLabs said. "John Wane," who purports to be a Russian security researcher, in January posted software that he claimed could defeat Yahoo's CAPTCHA system about 35% of the time.

In a blog post on Monday, Douglas Merrill, VP of Engineering, elaborated on Google's security philosophy and practices. "While the chances are that you'll never have a security problem, we take security very seriously, and that's why we have some of the best engineers in the world working here to secure information," he said.

Asked whether Merrill's post had anything do with recent security issues affecting Google and its users, a Google spokesperson said, "The timing is just coincidental." She said that Google is planning a series of posts about online security because the company gets a lot of questions about security from its users.