Can 'Legit' Spyware Harm You?

Nearly every week, consumers are haunted by stories of online-identity theft and that 21st century buzzword that strikes fear in the hearts of Web surfers around the world: spyware.

But not all spyware is created by hackers with nefarious plans to steal your Social Security number; some are produced by legitimate companies for employers, concerned parents and perhaps even suspicious spouses.

But according to experts, all the intent in the world won't keep that spyware from falling into the wrong hands.

When a Philadelphia couple were arrested last week for allegedly using high-tech methods for ID theft, authorities found a simple program in their apartment that can be bought online for less than $100 — the spyware Spector.

Jocelyn Kirsch, a 22-year-old Drexel University student, and Edward Anderton, a 25-year-old University of Pennsylvania graduate, were arrested Friday afternoon at their $3,000-a-month apartment in one of the city's most upscale neighborhoods, Detective Terry Sweeney of the Philadelphia Police Department's Central Detectives Division, told ABC News.

According to Sweeney, in addition to the spyware program, police found two laptops, two PCs and three to four electronic storage drives.

Spector is billed by its manufacturer primarily for businesses. "Record everything they do on the Internet," the site says.

Typically, users can manually download the software onto (ostensibly) their employees' computers. Once installed, it records every keystroke made, every e-mail sent and every Web site visit.

According to Robert Graham, the security executive at Atlanta-based Errata Security, using commercial spyware for more diabolical purposes — such as ID theft — is fairly simple, even for a crook that isn't so technically savvy.

The most typical way to install something like spyware is via e-mail, Graham said.

"The way they would hack is simply e-mail their victims the program and claim it's a software update, pictures of naked Britney Spears or some sort of nonsense in order to get their victims to run it," Graham said. "Once installed, spyware installs a keylogger and [programs] that monitor online activity. Keyloggers are the most important part of spyware because that's what would give them passwords. Online banking sites that advertise themselves as being 'secure' are only secure against somebody eavesdropping on the network traffic, but they are not secure against somebody eavesdropping on keystrokes."

Because a lot of more educated consumers are wary of opening attachments or clicking on links, hackers who know their victims are often more successful, Graham said.

"If you know more about your victim, then it's easier to get your victim to click," he said, because you know what your victim's interests are.

That may have been the case in at least one instance for Kirsch and Anderton. The arrest, which Sweeney described as the proverbial tip of the iceberg, followed a Nov. 19 report by one of their neighbors, who said she feared she had been the victim of identity theft.

The woman, according to police, had received a notice from a local UPS about a package waiting for her from a British retailer that she had never ordered from.

According to Graham, commercial programs like Spector make hacking easier, especially for people who don't know what they're doing.

  • 1
  • |
  • 2
Join the Discussion
blog comments powered by Disqus
You Might Also Like...