Who doesn’t love a good spy thriller? From James Bond to Jason Bourne, the espionage fiction genre has been a favorite of readers and movie-goers since the 1800s. It’s all fun and games until you find yourself in the middle of your own private spy story as the person (or company) that’s the victim of the surveillance.
It happens all the time, but unless you’re working on a top secret government project (and even if you are), the most likely scenario today isn’t some dashingly handsome undercover intelligence agent stalking you on the street; it’s a piece of software surreptitiously gathering confidential data from your computer, smart phone, or other electronic device.
There are many different types of software programs that can be used to covertly obtain information about a computer and its user, but they’re commonly lumped together under the broad category labeled spyware. Examples of subcategories include trojans, keyloggers, web beacons, tracking cookies, rootkits, and various types of programs that send your data “home” to the malware authors or attackers who distribute them.
You might think spyware is something that only happens to grandmas who don’t know to keep their personal computers updated or reckless kids who download pirated music, but it’s actually a major problem in the corporate world, too. Spyware can infect the systems of everyone from company CEOs to clerical employees, and even the IT staff. Many spyware distributors are sophisticated and technically savvy, and there are many different ways for them to get their malicious software into a system.
When some people think about spyware, they envision a suspicious spouse appropriating the husband’s/wife’s phone and installing a tracking app, or an unethical employee who’s been “bought off” by the competition bringing a USB thumb drive to work to download a spy program onto the company network. Of course, spyware can be installed that way, but physical access to or possession of the device is not required. The most common way to install spyware is remotely, with the attacker never needing to touch the target device.
One very common way to get spyware onto a system is through a “drive-by download.” Users don’t have to do anything to initiate the download of the malware other than go to the URL of the web site that hosts it. Thus, the user usually isn’t even aware that any software has been downloaded and installed. The web site may be one that’s put up by the attacker – often a fake copy of a legitimate site to which the user was directed via phishing email.
Other times, the site is the real site of a legitimate business that has been compromised without the knowledge of the site owner, and the attacker has put the malicious code on the site via advertising or other user-uploadable features. In addition, spyware may be sent via email attachments or as macros in Office documents. Even PDFs can contain malicious code, and it can be embedded in graphics files, too. Another vector for malware is to “piggyback” on an application that the user knowingly installs – especially freeware or shareware that isn’t rigorously tested.
Circling back around to physical access, another method is to infect a thumb drive or removable disc with spyware code so that it installs when a user inserts it into the computer to find out what’s on it. These are only some of the ways that spyware finds its way onto a particular system or device.
Many attackers don’t particularly care who their victims are; they just want to collect as much data from as many people and organizations as possible. They can sift through it later to determine what might be valuable (to sell, for blackmail purposes, or otherwise). They use a “shotgun approach” to distribute the spyware, and any compatible, unprotected device that comes into contact with it is fair game.
In other cases, an attacker wants information pertaining to a particular individual or company, and specifically targets the chosen victim. This is the case in corporate espionage, private investigators or DIY investigators, and in some cases law enforcement agencies. In one famous case earlier this year, users of the WhatsApp communications tool for iOS and Android that’s owned by Facebook were the subject of targeted spyware campaigns.
Perhaps the most worrisome to enterprise and SMB IT staff and management is the use of spyware in the course of corporate espionage – the practice of spying on competing companies to gather “competitive intelligence.” There is a fine line between the legitimate compilation of information about competing products to identify strengths and weaknesses of your own products/services to improve them – or creating comparisons for marketing purposes – and ferreting out confidential information pertaining to competitors’ offerings and future plans. Spyware can play an important role in the latter.
Even if your business isn’t the target of corporate espionage, randomly installed spyware on your network can have a number of detrimental effects. It puts the personal information of your employees and customers at risk of disclosure, and this can result in your organization being in violation of regulatory compliance standards that mandate protection of such personal data, such as the GDPR, HIPAA, and many others.
Less severe but also significant threats associated with spyware on the company network include loss of productivity as spyware slows down systems and in some cases can make them inoperable.
Protecting the business network and computers against spyware involves a multi-pronged approach that includes both technological and human factors. Antispyware solutions are available, but as with antivirus and other antimalware software and services, they can diminish but can’t completely eliminate the threat of spyware. Standard security best practices, including strong authentication and access controls and limitations on the installation of software, help form a foundation for keeping spyware at bay.
Since spyware, like other malware, frequently takes advantage of vulnerabilities in operating systems and applications, ensuring that all systems are current on security updates is another key element in an effective antispyware strategy. Good patch management goes a long way toward protecting against all types of cyberthreats, including spyware.
You can configure perimeter firewalls to block known unsafe web sites and restrict downloading of content, and/or deploy antispyware technology at the gateway as well as on individual machines.
Since spyware is usually installed, either inadvertently or deliberately, by users who have legitimate access to the network, user management is another important and often overlooked aspect of protecting against spyware. User education comes first; make users aware of the threat both to the company and to themselves, and instruct them in safe use of web browsers, email, etc. Restrict which users can install software and make those with authorization aware of “piggy-backed” malware and the importance of reading EULAs carefully. Don’t make the mistake of assuming that because they’ve been using computers for many years and have mastered the applications they use to get their jobs done, all employees are also security-conscious.
Disgruntled employees are more likely to deliberately install spyware, either on their own initiative or at the (usually paid) behest of unethical competitors. Thus, treating employees well not only increases the likelihood that they will give their best job performance but also decreases the chances that they will intentionally introduce spyware to your network. However, some may be tempted by offers from competitors even when well treated. As the saying goes, trust but verify. Monitoring what employees do on the network, installation of software, and web sites they visit is standard practice and can help prevent both intentional and unintentional spyware installation.
Spyware is one of many malware threats that can impact your organization in both small and large ways. It is important to be aware of its many variants and have a plan in place to protect against them.