More insidious are the variants that violate a user's privacy by tracking Website visits and tailoring pop-ups to keywords that the user has typed into search engines, E-mail, or documents. Some spyware takes this practice, known as keylogging and tracing, to new levels. These programs not only track your every move online, but also collect information about you, your customers, and your company based on anything you might type into your computer, be it your credit-card number, Social Security number, bank-account information, log-in name, passwords, or other information. It can all be neatly collated and sent off without your knowledge. This can be frightening enough for a consumer, but for a company, the risks are severe, with everything from customer trust to legal penalties at stake.
And then there is the financial risk. In March, Britain's Hi-Tech Crime Unit foiled an attempt by hackers to steal $403 million from the London offices of the Japanese bank Sumitomo Mitsui. The hackers had placed a keylogger on the bank's system and were using it to trace account numbers. They were caught when one of them attempted to transfer $25.5 million from one account to another.
The shift in emphasis that spyware represents — away from bringing systems down and toward gaining financial advantage — was recently in evidence at Cornell University. Colleges have long been a popular destination for hackers of all kinds (particularly students), who heretofore have been happy to crash networks or perhaps tinker with transcripts. But Cornell recently detected a spyware program in a less likely spot: the pro shop at the university's golf course, where a keylogging program was detected on a point-of-sale system. Fortunately, says Ricky Stewart, Cornell's computer service manager, "it was caught by antispyware software before it could be used. The system takes in people's credit-card data, so someone could have gotten a lot of information if they had gotten into it."
The war against spyware is being fought on several fronts: in the courts, in Congress and various statehouses, and on the desktop and enterprise level, where antispyware software programs are doing a booming business.
California and Utah have passed antispyware laws, but both have been challenged (Utah's successfully). There are also three pending bills before Congress that seek to put the lid on spyware, much as the CAN-SPAM Act has tried (unsuccessfully, many critics say) to rein in junk E-mail. In October 2004, the Federal Trade Commission filed suit against a collection of spyware makers, including Mailwiper and Seismic Entertainment Productions, and has since added five more defendants to the case. Also in April, New York Attorney General Eliot Spitzer filed suit against Los Angeles-based Intermix Media, claiming that its downloads were installed on users' machines without their consent, constituting deceptive business practices and false advertising. Spitzer was said to be interested in a nationwide solution; the programs were downloaded nearly 4 million times in New York alone.
I Spy a Loophole
Unfortunately, few people expect legal solutions to strike fear into the hearts of these cyberspies because there is simply too much money to be made. Digital security firm Aladdin Knowledge Systems estimates that more than 70 percent of former virus developers are now getting paid to write spyware applications for companies and criminal elements. Many of these mysterious developers are based offshore and have created dozens of shell companies to distribute legal responsibility and make it almost impossible to contact them, let alone file suit against them. "Legislation and lawsuits will not help," says Shimon Gruper, vice president of Aladdin's eSafe business unit. "Spyware vendors will simply move out of the United States. Bad deeds can be done from anywhere, and they will continue to bypass legislation, as they did with spam."
Indeed, spyware developers have even gone on the offensive by filing suit against antispyware companies for classifying their applications as spyware, and in some cases, these suits may be on solid legal ground. After all, spyware is often lodged on a computer only after the user clicks "OK" on a pop-up screen, effectively agreeing to confusingly worded messages that green-light the installation of the program.
Meanwhile, many online advertisers and legitimate Websites that track users with cookies (information that a Website puts on a user's hard disk so it can remember that user at a later time) have been lobbying Congress to tone down pending antispyware bills, because they fear the definition of spyware used in the legislation may be too broad. As CA's Curry says, "There are a lot of companies bringing a great deal of resources to bear. You don't see virus writers lobbying up on Capitol Hill. This is going to be a much bigger fight in the long run."
If looking to the courts or government intervention for help against spyware seems futile, looking to software manufacturers is far from a silver bullet. Until recently, spyware detection and removal was usually included as an add-on to existing antivirus solutions, such as those from McAfee, Symantec, Aladdin, Lavasoft, and others. Most of these are fairly effective at detection but not cleaning at the desktop level. IT staffs have deemed them difficult to install and support across hundreds and thousands of desktops in large companies. In fact, most IT managers have had to deploy a combination of applications in an attempt to plug up all possible spyware entry points.
Reader Comments» Post a comment