On the Fast-Moving Web,
Keep Up With Spam Scams
August 28, 2007; Page B4
 
One of the responsibilities of all conscientious Web users involves keeping up with new spam scams. Beyond wasting your time with worthless pills or get-rich-quick schemes, unsolicited junk emails may be trying to steal your personal information or turn your computer into a spam-spewing "zombie."
 
Spam methods evolve quickly. A method that might have been popular a year ago has attracted the attention of security companies and thus no longer works. Accordingly, hackers are always coming up with new tricks, as Michael Berman, chief technology officer of security firm Catbird, explains.
* * *
 
There seems to be a lot of spam these days telling me that someone I've never heard of has sent me a greeting card.
 
Yes, we are seeing a tremendous upsurge in greeting-card spam. It's meant to exploit your system by having you download a special program. I definitely don't recommend doing that. Anything could be happening. The program might be a keystroke logger that records your passwords or other information about you, and then sends it to the hacker. Or, the program, for example, may want to zombie your system and make it a part of a "bot" network. That's a network of many thousands of computers under the control of a single person, who uses the network primarily to send out more spam. There are people who do nothing but infect computers to add them to their collection of bots, which they then take to market to sell to other bad guys.
 
Are there other new kinds of spam?
 
Social-networking spam is another new one. That's where a spammer checks your Facebook or Myspace page, figures out who your friends are, then sends email to you pretending to be your friends. You'll get a message from someone you think you know saying, "I strongly recommend this really cool Web site." Some research suggests that some social-networking scams have a 20% success rate, much more than regular spam, because so many people think it's really from a friend.
 
What's the story with all those penny-stock promotions?
 
These are called "pump and dump" scams. All they need to do is for a few people to fall for it and buy the stock. If spammers send out a million messages, and 2% of the people buy the stock, it will go up. But the spammers bought the stock first, and so they can ride it up. Of course, the SEC can figure out who bought the stock ahead of time.
 
Why is it a good thing to change the password of a router, like for a wifi network?
 
Routers usually have the same default logon name and password. Some hackers take advantage of this and plan attacks that try to use these default names to compromise your router. If they do that, they might be able to then tell your router to take Web requests for, say, your bank, but send them somewhere else, like a Web site they control. If you change your password, you are protected from these sorts of attacks.
 
Besides keeping your software up-to-date and fully patched, any other suggestions?
 
It's always better to type in the URL from an unfamiliar email by hand, in the browser URL window, rather than just clicking on the link in the email. What you see in the email is not necessarily where you are going. Even if you mouse over the URL, and then look at the bottom left of the browser, that doesn't always give you the real URL. From time to time, browsers have had defects that allowed that bottom left URL to be masked by a hacker. So don't assume that what is down at the bottom of your browser is correct.
 
Also, of course, if an offer looks too good to be true, it is.
 
Write to Lee Gomes at lee.gomes@wsj.com