The breakneck pace of life on the internet means things get outdated rapidly. Consider GIFs. A few years ago, they were all the rage, with people endlessly sharing the moving images with friends, family, and colleagues alike. But nowadays? GIFs are old-fashioned; now, we communicate with actual videos or TikToks.
While this fast-paced evolution is generally benign, it has a darker side too. We are so used to changing things that tech can feel outdated simply because it has existed for a long time. This can make it tough to judge how important a term or trend is.
Take spyware, for example. The word itself is right out of the 90s, something the characters in the movie Hackers would talk conspiratorially about. Spyware is tied to a bygone area; it feels passé, something that can’t possibly impact us today in our technically mature and futuristic society. Right?
Well, here at Assured Intelligence, we had to determine whether this is the case. Is spyware still an issue? And should you be concerned?
“The term refers to malicious software that infiltrates a user’s computer, phone or app, collects data without consent, and transmits it to third parties,” Dr Klaus Schenk, senior vice president of security and threat research at Verimatrix, tells Assured Intelligence.
It can come in various forms, including key loggers and apps that use overlay attacks (click here to understand what an overlay attack is), all the way to remote access kits that can give hackers complete control over devices.
Dr Schenk explains that the term spyware originated “in 1995 as a satirical reference to Microsoft’s operating system features that increased data collection.” Today, the term has broadened to include various types of malicious software, including those run by governments or law enforcement to monitor citizens.
The one consistent element of all spyware is using technological tools to track your actions against your will.
If there was one common thread across all the experts Assured Intelligence spoke with, it’s that — spoiler — spyware is still rife today. Any feelings or suspicions that spyware is old-fashioned or a harmless sort of hack are entirely misguided.
“Victims affected by this form of spyware include politicians, heads of state, business executives, activists, and members of various Arab royal families” Borja Rodriguez
Nick Guite, the chief security officer at cloud and IT solutions provider SysGroup, tells Assured Intelligence that “spyware is still extremely prevalent today and only seems to be increasing.”
He says there has been a “93% increase in spyware and stalkerware in the UK since lockdown.” This is mainly driven by phishing emails, with Guite adding that 94% of security incidents begin with malicious emails.
Guite says this isn’t just an issue for the general public, as businesses are often in the crosshairs for bad actors using spyware.
Interestingly, many experts had differing opinions on this. While they all agreed that spyware remains an overall danger, they varied on precisely who or what was at most risk.
“Ordinary individuals need not be overly concerned about spyware, as attackers primarily focus on individuals of strategic interest,” says Borja Rodriguez, threat intelligence lead at Outpost24, a cyber risk management platform.
For example, he pointed to the Spanish government’s recent use of the Pegasus spyware toolkit to monitor Catalonian politicians pushing for independence. “Other victims affected by this form of spyware include politicians, heads of state, business executives, activists, and members of various Arab royal families,” Rodriguez says.
This is part of an overall trend. Hackers using spyware now tend to focus more on corporate or governmental targets.
“With Industry 4.0, cyber criminals are shifting away from personal attacks to organisations that rely on IoT devices,” says Rob Cottrill, technology director at ANS, a UK cloud services company. Industry 4.0, for those unfamiliar with the concept, refers to the ongoing automation and digitalisation of manufacturing processes.
But what about individuals being targeted? Cottrill believes the objective is to use their information “in the realms of government espionage and corporate warfare.”
While neither Rodriguez nor Cottrill claims that individuals are totally safe from spyware, each comment on the pendulum swings towards more organisational-centric targets rather than members of the public.
Despite this, some experts we spoke with had differing opinions.
“The advent of mainstream AI could make launching spyware attacks easier, lowering the bar for less experienced hackers” Paul Bischoff
For example, in our conversation with Paul Bischoff, consumer privacy advocate at cybersecurity research firm, Comparitech, he talks through some of the spyware currently on the market. While this includes software that concentrates on businesses, such as “info stealers [exfiltrating] data from corporate servers,” much of the spyware he mentions remains focused on the public. This includes “apps used to spy on romantic partners” and “parental monitoring software.”
This isn’t the only type of spyware impacting the public. Guite from SysGroup points towards the rise of “zero-click spyware” as another example. This technology can lead to people having their “personal and credit card information stolen, which may then be used by criminals to commit fraud and identity theft.”
So while the big money and opportunity may be with corporations and governments, this doesn’t mean that Joe and Josephine Bloggs are safe from spyware. Any consideration of it being a thing of the past or nothing to worry about is just wishful thinking.
At this point, you’d be forgiven for thinking that hackers will eventually stop focusing on the public altogether and instead concentrate solely on the more lucrative corporate market.
Nice thinking, but that’s deeply unlikely.
“The advent of mainstream AI could make launching spyware attacks easier, lowering the bar for less experienced hackers,” Bischoff says. This could lead to more frequent and sophisticated spyware attacks, with bad actors putting in minimal effort to hoover up vast amounts of data.
While this has benefits for corporate hacking too, it’ll make ripping off random people’s credit card information a breeze compared to today.
Regarding the evolution of organisational attacks, Cottrill from ANS believes the future of spyware will include targeting “IoT and autonomous manufacturing” companies, as well as “more high-profile attacks” in general. He believes this will lead to government pressure on commercial firms to educate their workers on the dangers of spyware.
Dr Schenk from Verimatrix gives a litany of advice to this point, saying that everyone should use “reputable antivirus software,” “[practise] responsible app installation habits and [rely] on trusted sources,” and “keep operating systems, software, and security applications up to date with the latest patches and updates.”
The short answer is yes, but there is a caveat.
It’s true that hackers are now more focused on using spyware against businesses and governments rather than random people. However, they still often need to target individuals to reach those targets. This means that if you work at an organisation that could be attractive to bad actors, you could be in danger.
On top of that, in the coming years, the evolution of AI and similar technologies will lower the barrier of entry for using spyware, making it easier for low-skill hackers to use it against large swathes of the public.
The techniques for keeping yourself safe from spyware are similar to any other sort of online security. If you practise good cyber hygiene, be mindful of who and what you interact with, and keep your wits about you — the same processes that keep you protected from hackers — you should remain safe from spyware.
Yes, the internet moves at a breakneck pace, but don’t forget: the more things change, the more things stay the same. Spyware isn’t going anywhere.