Spyware threat escalating, warn experts

Spyware is becoming increasingly pernicious and sophisticated, according to security experts who are warning that users are still failing to take basic steps to protect themselves against the threat.

It's a problem which should scare big businesses as they face up to the fact that important data could be leaking out of their organisations daily. And yet too many organisations are failing to properly educate or protect their employees.

Eric Chien, a senior researcher at Symantec, said: "You'd be surprised at the amount of data these things collect."

Chien said techniques such as screen capture, key logging, behavioural analysis and common word recognition are all methods employed by spyware applications to build a profile of a user. Presenting at the Virus Bulletin conference in Dublin, Chien also detailed the ways in which spyware can get onto a machine.

He said: "At their most basic, they will be able to find your name, your gender, your age, the amount of time you spend online, what you search for, what you buy and what websites you visit."

Chien proved this point by showing the detailed data relayed by one piece of common spyware.

Such applications won't discriminate between personal and corporate data, though the latter tends to be of a far higher value.

Chien also showed conference delegates a more advanced spyware application which is programmed to kick in when any one of hundreds of websites are visited and certain words encountered on the page.

Such an application for example was able to take and relay screenshots whenever the user was on particular retailers' websites where the word 'confirm' appeared.

Chien said: "If you're hitting 'confirm' then what information is going to be visible on that web page? Credit card number, name, expiry date, billing address, shipping address."

And it gets far more worrying for users. The application is also programmed to start sending screenshots whenever users are on any page of certain banks' websites.

And Chien said users shouldn't put too much faith in perceptions of security as presented in 'https' style URLs.

"Some of these applications can read all https traffic," said Chien, though the danger only exists when accessing such sites from an infected machine.

In fact, the only way users can be protected against such threats is to ensure spyware doesn't exist on their computers.

That requires a balance of technical and educational approaches.

Companies should all have anti-spyware protection in place on all machines but users must also realise the threat posed by activities such as installing non-essential software and clicking on pop-ups from unknown or untrusted sources.

According to research out today from another security vendor, Trend Micro, around a quarter of US employees in both the small business and enterprise sector have fallen foul of spyware while at work.

In total, 87 per cent of respondents said they are aware of a threat posed by spyware while 57 per cent said they want more education on the threat and 40 per cent believe their IT department could be doing more to protect them.