When Spam Turns Dangerous

(MoneyWatch)  Clicking "remember me" may be one of the most dangerous things you ever do on the web, or so says Gerry Egan, director of security response at Symantec, the Culver City makers of Norton anti-virus software.

The reason: We are not careful guarders of our email addresses and passwords, and yet when you click "remember me," those become the key to many an online transaction, from buying books from Amazon to viewing our financial lives on Mint. To be sure, you have a separate password for these sites (and for your credit card company, for that matter), but if you have access to the proper email address, you can click "I forgot my password" and they'll either send you a new one or give you instructions on how to reset.

I had called Egan because I was fascinated, and slightly concerned, about the fact that I'm constantly spamming myself. In the middle of the night, when I think I'm fast asleep, I send myself emails advertising Russian dating sites, cut-rate prescription drugs (for problems that would make my mother blush), and appeals for web design services that open "please excuse us to disturb your precious time."

Google, which wisely will not allow me to send out emails in the middle of the night, offers that it doesn't believe I'm me. Or, rather, it believes that the person or people sending these emails are only pretending to be me. But I wondered how these spammers were able to impersonate me and whether this spam put me or my friends and readers at risk.

It turns out that impersonating you in an email is about as tough as putting someone else's return address on an envelope. Thankfully, most of this email is harmless, Egan said. The reason they're using your email address is because web servers try to cut down on abuse, so if they see too many Viagra advertisements coming from one address, they'll cut off the sender. The sender then needs to impersonate you or me to send more.

But some of these emails are toxic. They link to a site that asks for your email address and password. And, if you think the email is coming from a friend, you might just bite. Once you do that, every site that remembers you will let the crook in and will let them use your stored credit card information to buy things.

But you have security software and figure that you're protected from these scams? Don't get cocky, Egan adds. You certainly need security software and it will save you from most "malware" attacks. But the number of attempted attacks are soaring at an exponential rate, he said. You could get hit before the security firm finds and defends against your virus, so you need to be careful.

"Ten years ago, we were defining and writing a few dozen virus signatures a week," Egan said. "Now it's 15,000 to 20,000 per day. Over the course of 2009, we wrote 2.5 million new signatures. That's almost half of all the signatures we've written in the past 25 years. That tells you how active the malware community is now."

Another new worry: You go to a local site, such as the site offered by your neighborhood preschool. The site is fine, but when you leave, there's a pop-up message on your screen saying that your computer may be infected. It urges you to click on a button to fix the problem.

The real problem is that somebody has planted a bug on that site, which (unlike your bank) doesn't have a team of security experts keeping it clean. If you click to "fix" the infection, you've just opened the front door to a cyber criminal, Egan said.

"It's the local golf course--the local pizza store," he added. "They all have web sites, but they don't have a security guy on staff. They're pretty easy to infect."

You as a cyber consumer need to be smart enough not to let the crooks into your machine. You do that by keeping your security software up-to-date, of course, but also by using a lot of caution and common sense.

By now, you surely know not to click on links in emails that supposedly come from your bank asking you to "update your account information." But know that the same holds true when you click on a link on a friends Facebook page. Don't go further when that link asks for personal information--even if it's as seemingly innocuous as asking for your email password.

If someone sends an email that requires you to click on a link that asks for additional identifying information, stop. If you think the email is coming from a friend, call them and find out before you go further.

What do you do if you see a pop-up message saying your computer is infected? Don't click it. Run a check with your security software instead.

"It used to be that if you were a fairly careful user and didn't go into the red-light districts of the online world, you were pretty safe," Egan said. "That's not true today."

The warning signs that you're at serious risk: You can't get into your email account, or you notice charges that you didn't authorize on your credit card accounts. You should be regularly checking both your email and your accounts.

You need to be a little paranoid. The criminals aren't targeting you specifically, he added. They're just looking for the path of least resistance. If you provide that path by being a little gullible, your computer and everything on it can be at risk.