Spyware is unwanted software, a type of malicious software or malware, designed to expose sensitive information, steal internet usage data, gain access to or damage your computing device.
Any software downloaded to a user's device without authorization can be classified as spyware. Even spyware programs installed for innocuous reasons often violate end user privacy agreements and have the potential for abuse.
Spyware is a cyber threat, primarily due to the risk of exposing personal information, credit card numbers, protected health information (PHI), keystrokes, personally identifiable information (PII) or login credentials.
How Does Spyware Work?
In its least damaging form, spyware runs in the background creating unwanted CPU activity, disk usage, hindered Internet connections, stability issues, application freezes, failure to boot and system-wide crashes.
These infects may not be evident to users who assume performance issues are related to faulty or outdated software, installation problems or a different malware infection. This can result in technical support costs and users buying a new computer due to their existing system becoming too slow.
More aggressive forms of spyware reset browser homepages, open pop-up ads, redirect web searches and impact browser security.
At its most damaging, spyware tracks all computer related activity, exposes sensitive data, password, credit card numbers, banking details aiding in identity theft and corporate espionage or additional cyber attacks.
Some types of spyware will disable firewalls and antivirus software, reduce browser security settings and open up new attack vectors. Aggressive variants aim to disable or remove competing spyware programs to decrease the likelihood the victim will take action or invest in a spyware removal tool.
What Devices Can Be Infected By Spyware?
Spyware can infect PCs, Macs, iOS, Android, Unix and many other operating systems, with the Microsoft Windows operating system representing the largest cybersecurity risk due to the majority of spyware creators targeting those machines. This has been driven by Window's widespread popularity over Apple and other Unix based operating systems.
How Do Spyware Infections Happen?
Spyware is distributed in a number of ways.
A common method is to trick users into visiting a malicious website, through email, text messages, pop-ups or ads.
Users can even become infected when they take no action. In some situations, infected ads are delivered to would-be victims via a legitimate website in a practice known as malvertising.
Cybercriminals may distribute spyware via social engineering, phishing or spear phishing emails designed to look like they originate from a trusted source.
Or users might download legitimate software with spyware bundled with it, such as when mobile spyware is bundled in with legitimate apps and slips through Google and Apple's screening processes, ending up on the Google Play or App Store.
It's important to understand that spyware doesn't necessarily spread in the same way as other types of malware or computer worms. In general, spyware is not concerned with transmitting or copying itself to other devices.
Rather spyware installs itself by deceiving the user, bundling itself with desirable software or by exploiting vulnerabilities in web browsers and operating systems. Internet Explorer is a frequent target due to its popularity, history of security issues, deep integration with the Windows operating system and Browser Helper Objects which allow attackers to modify the browser's behavior. These vulnerabilities are often well-known, patched and listed on CVE.
What are the Types of Spyware?
Spyware can be classified into nine categories:
- Adware: Any software that displays advertisements while the programming is running, often in a web browser or pop-up ads. Adware is typically bundled with freeware or piggybacks on another program to trick you into installing it on your computer, tablet or smartphone.
- Tracking cookies: Tracks the user's browsing habits and online activities, such as web page visits, searches, history and downloads for marketing purposes. Advertisers like Facebook and Google use cookies to track internet activity to better target advertising.
- Trojan horse: Any program that misleads users of its true intent by masquerading as a legitimate program. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy. Trojans typically spread through social engineering, infected email attachments, phishing and spear phishing campaigns. Once installed, trojans can expose sensitive data and carry out additional cyber attacks like ransomware.
- Keyloggers: Keyloggers are a type of system monitoring software used by cybercriminals to steal personally identifiable information (PII), protected health information (PHI) and enterprise data to use in identity theft and corporate espionage. Keyloggers are also used by employers to observe employees' computer activity, parents to supervise a child's internet usage, device owners to track unauthorized activity, law enforcement agencies for digital forensics or competitors for industrial espionage.
- Stalkerware: Typically installed on mobile devices so the owner of the phone's activity and location can be tracked by a third-party.
- Stealware: Intercepts requests, often for online payments, and steals the victim's credit card information.
- System monitors: Records activities on a device, from keystrokes and emails to websites visited and programs launched. System monitors can be used by cybersecurity teams to monitor a system's processes, identify vulnerabilities, install software programs, plugins, security software or antivirus software, adjust security settings and remotely wipe hard drives. Cybercriminals can also use system monitors to exploit those same attack vectors.
- Web beacons: Used to unobtrusively track whether a user has accessed a piece of content, generally used for web analytics, page tagging or email tracking. Web beacons allow companies to track the online behavior of users.
- Mobile spyware: Generally spreads through smishing, infected apps or text messages that exploit a vulnerability and don't require user interaction to execute. Once infected, smartphones or tablets can expose the user's location, camera, microphone, phone calls, keystrokes and browsing activity.
How to Prevent Spyware
As the threat of spyware has increased, so too have the number of techniques to counteract it. Some best practices include:
- Monitoring for leaked credentials, data leaks and data breaches
- Only downloading software from trusted sources
- Reading all disclosures when installing software
- Avoiding interaction with or blocking online advertisements
- Keeping operating systems and other software up-to-date to avoid known vulnerabilities
- Using the principle of least privilege and access control to limit what types of software can be installed by users
- Investing in cybersecurity awareness training to educate staff about the dangerous of social engineering, phishing and spear phishing campaigns that may be used to deliver infected email attachments
- Using DMARC to minimize the risk of email spoofing
- Avoiding pirated media including games, movies and music
- Using two-factor authentication and/or biometrics
- Investing in reputable anti-spyware, antivirus and cybersecurity software
- Requiring remote workers to use a virtual private network to prevent man-in-the-middle attacks before accessing network resources
- Following the NIST Cybersecurity Framework
- Developing an information security policy and information risk management program
- Employing a defense in depth strategy that covers information security, data security and network security
One important, often overlooked part of preventing spyware infections is vendor risk management. Your internal security standards are only as good as your worst service provider's, just look at what happened to Target when one of their HVAC vendors was infiltrated. Third-party vendors introduce third-party risk and fourth-party risk that you need to monitor and where possible mitigate.
Start by developing a vendor management policy, third-party cyber management framework and vendor risk assessment questionnaire template. If you don't have the expertise internally, consider investing in vendor risk management software that can help you automate vendor risk management, rate your vendors against 50+ criteria and provide a security rating so you know who your most at risk vendors are. Information risk management can't stop with your organization.
How to Detect and Remove Spyware
Spyware can be difficult to detect as it is designed to be deceptive and hard to find. Often the first indication of spyware infections is reduced processing power or Internet speed. For mobile spyware, unexplained data usage and reduced battery life.
Anti-spyware programs exist to:
- Provide real-time protection in a manner similar to antivirus software, scanning all incoming network data for spyware and blocking any potential threats
- Detect and remove spyware programs that are already running on the computer.
They do this by looking at the contents of the Windows registry, operating system files, installed programs and for behavioral signatures that match known spyware.
These tools frequently update their database of threats to keep up with new spyware cybercriminals create.
Further, ISPs and network administrators may use firewalls and web proxies to block access to websites known to install spyware, monitor the flow of information going to and from a networked computer and install hosts files to prevent computers from connecting to spyware-related web addresses.
Another option is to reset the computer to factory settings, this approach requires important data to be backed up and configuration management.
What are Examples of Spyware?
- CoolWebSearch: A group of programs that take advantage of Internet Explorer vulnerabilities, directing traffic to advertisements, displaying pop-up ads, rewriting search results and altering the infected computer's hosts files to direct DNS lookups to different sites.
- FinFisher: A high-end surveillance suite sold to law enforcement and intelligence agencies. FinFisher can be covertly installed on computers by exploiting slow patching procedures.
- Gator: Commonly found in file sharing software, Gator monitors victim's web activities to present them with more targeted advertisement.
- GO Keyboard: A virtual Android keyboard app that transmits personal information to its remote servers without user consent including Google email, language, IMSI, location, network type, Android version and device model.
- HuntBar: Installed through an ActiveX drive-by download or by advertisements displayed by other spyware programs, adding toolbars to Internet Explorer, tracking browsing behavior, redirecting affiliate references and displaying advertisements.
- Internet Optimizer: redirects Internet Explorer error pages to advertising.
- Look2Me: As both a rootkit and spyware, Look2Me hides inside system-critical processes and starts up in safe mode.
- Onavo Protect: Used by Facebook to monetize user habits within a privacy-focused environment, criticized because the app did not prominently disclose it was owned by Facebook.
- Zango: Transmits information to advertisers about the user's browsing patterns and alters HTTP requests for affiliated advertisements to make its creator profit.
- Zlob: Downloads itself to a computer via an ActiveX Codec and sends search history and keystrokes to a control server.
- Zwangi: Redirects URLs typed into the browser's address bar to a search page at www.zwangi.com.
How UpGuard Can Improve Your Organization's Security
We're experts in data breaches and data leaks, our research has been featured in the New York Times, Wall Street Journal, Bloomberg, Washington Post, Forbes, Reuters and Techcrunch.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
