Can 'Legit' Spyware Harm You?

Cops believe identity theft couple used software to get rich.

ByABC News
December 4, 2007, 1:56 PM

Dec. 4, 2007 — -- Nearly every week, consumers are haunted by stories of online-identity theft and that 21st century buzzword that strikes fear in the hearts of Web surfers around the world: spyware.

But not all spyware is created by hackers with nefarious plans to steal your Social Security number; some are produced by legitimate companies for employers, concerned parents and perhaps even suspicious spouses.

But according to experts, all the intent in the world won't keep that spyware from falling into the wrong hands.

When a Philadelphia couple were arrested last week for allegedly using high-tech methods for ID theft, authorities found a simple program in their apartment that can be bought online for less than $100 the spyware Spector.

Jocelyn Kirsch, a 22-year-old Drexel University student, and Edward Anderton, a 25-year-old University of Pennsylvania graduate, were arrested Friday afternoon at their $3,000-a-month apartment in one of the city's most upscale neighborhoods, Detective Terry Sweeney of the Philadelphia Police Department's Central Detectives Division, told ABC News.

According to Sweeney, in addition to the spyware program, police found two laptops, two PCs and three to four electronic storage drives.

Spector is billed by its manufacturer primarily for businesses. "Record everything they do on the Internet," the site says.

Typically, users can manually download the software onto (ostensibly) their employees' computers. Once installed, it records every keystroke made, every e-mail sent and every Web site visit.

According to Robert Graham, the security executive at Atlanta-based Errata Security, using commercial spyware for more diabolical purposes such as ID theft is fairly simple, even for a crook that isn't so technically savvy.

The most typical way to install something like spyware is via e-mail, Graham said.

"The way they would hack is simply e-mail their victims the program and claim it's a software update, pictures of naked Britney Spears or some sort of nonsense in order to get their victims to run it," Graham said. "Once installed, spyware installs a keylogger and [programs] that monitor online activity. Keyloggers are the most important part of spyware because that's what would give them passwords. Online banking sites that advertise themselves as being 'secure' are only secure against somebody eavesdropping on the network traffic, but they are not secure against somebody eavesdropping on keystrokes."