Spyware: What It Is and How to Protect Your Organization against It

While privacy features like end-to-end encryption made users’ apps and services more secure and protected, it made it harder for governments and law enforcement agencies to monitor criminals, terrorists, and people of interest. Then, in 2019, NSO Group, an Israeli tech firm, introduced a new product called Pegasus – spyware that can enter a smartphone without the user’s knowledge, access all material and information on it, and relay the data back to the controller. It can also perform real-time surveillance by secretly activating the phone’s camera and microphone. NSO strictly stated that this technology would only be sold to governments to prevent terrorism and other serious offenses.

However, in July 2021, Pegasus made headlines when major news outlets received a list of around 50,000 phone numbers. These numbers seemed to belong to persons of interest from NSO’s clientele and included several rights activists, prominent journalists, lawyers, politicians, business executives, and royal family members. Further investigation showed that 37 phones from the list had been infected in some form by the spyware.

Let’s delve into the concept of spyware: what it is, the different types, and how to minimize the risk of spyware and secure your organization.

What is spyware and how does it spread?

Usually installed on a device without a user’s knowledge, it is a type of malicious software that spies on the user, gathers their personal information, and transfers it to the attacker. Any device that can be connected to the internet can be potentially targeted. 

Once installed, threat actors can utilize all the collected information to perform data or identity theft. Or, they can sell it to data brokers or other such third parties looking to make a profit. Additionally, spyware can cause lasting damage to the targeted device and its parts.  

Spyware can enter devices through various vectors:

• Social engineering methods such as phishing or spearphishing. Here, spyware can be installed on a target’s device by tricking them into clicking on a malicious link that is sent through SMS or email.
  
• Downloading any file or material from the internet. Spyware can be unintentionally installed through bundled software packages as well as through pirated or torrented movies, music, and other types of media.
  
• Sometimes, threat actors exploit vulnerabilities in software, web browsers, and operating systems of devices to gain access to it and install spyware. If this is done when the vulnerability is still unknown to the user, it is called a Zero-day attack.

If a device doesn’t run at the normal speed, constantly crashes, is bombarded by pop-ups, or is randomly running out of storage space, there is a good chance that it is infected with spyware.

Types of spyware

Spyware is versatile and comes in different forms. Here are some of them:

Adware is a type of spyware that is found on websites, usually in the form of pop-up advertisements. It can monitor and gather information about the target’s online activity so as to market similar items to them or sell the information to data brokers without user consent.

Similar to adware, tracking cookies monitor users’ online activity. They use this information to present targeted ads and entice users into purchasing products.

Trojans are malicious software or programs that are disguised as legitimate software. Once downloaded, they can be controlled by third parties that will infiltrate the target device to steal, delete, or encrypt files. Flash player and Java are common ways of delivering trojan spyware.

Key loggers, also known as system monitors, are software that maintain a record of every keystroke, search query, site visit, password, programs run, etc. executed on a device. Once installed, cybercriminals can spy on their targets and gain access to all the recorded information to perform malicious actions.

Mobile spyware can infect smartphones through SMS or MMS. Once infected, the spyware can monitor the target’s browser activity, gain access to all material on the device, track location, and even turn on the camera and microphone to secretly record the victim.

In browser hijacking, changes are made to users’ browser settings without their consent. Through this method, attackers can insert and install unwanted material, redirect search queries to certain websites to generate greater ad revenue, access sensitive information like passwords and credentials, and so on. 

Infostealers scan infected computers and steal sensitive information like passwords, credentials, email addresses, browser history, files, documents, as well as media content. They usually exploit browser security vulnerabilities in order to gain access to personal data.

CoolWebSearch, Gator, Emotet, Zlob, and TIBS Dialer are some well-known examples of spyware.

How to protect your organization from spyware

Although spyware doesn’t target a particular kind of victim, organizations can be adversely affected by these attacks. While it is unpreventable, establishing strong cybersecurity protocols in your orgaization can greatly reduce the risk of spyware attacks.

1. Educate your employees about spyware and the damage it can do. Advise them about good and safe online behavior so as to reduce the risk of security breaches. Make sure they understand the importance of being cautious of the websites they visit and the cookies they consent to. While it may be tempting and convenient to accept “all cookies”, explain why this should be done only on trusted websites. Urge them not to click on any pop-ups that may appear while they are browsing online. The same goes for suspicious links that they may receive in emails or texts. 
   

Regular training and testing should also be conducted to ensure that they are aware of the cyber safety protocols to be followed.

2. Implement several strong security controls like antivirus, antimalware, firewalls, different types of encryptions, and multifactor authentication from reputable sources. Additionally, install good anti-spyware programs that can scan and alert you if your device has spyware on it.
   
3. Update all device applications and software to the latest security patches to eliminate any vulnerabilities that cyber attackers could use to their advantage. Invest in endpoint detection programs (EDR) and mobile device management (MDM) to further reduce security risks.