Spyware/virus is usually installed without a user's knowledge or permission. However, users may unintentionally install spyware without understanding the full ramifications of their actions. A user may be required to accept an End User Licensing Agreement (EULA), which often does not clearly inform the user about the extent or manner in which information is collected. In such cases, the software is installed without the user's “informed consent.” Spyware can be installed through the following methods:
- Downloaded with other Internet downloads in a practice called “bundling.” In many cases, all the licensing agreements may be included in one pop-up window that, unless read carefully, may leave the user unaware of “bundled” spyware.
- Directly downloaded by users who were persuaded that the technology offers a benefit. Some spyware claims to offer increased productivity, virus scanning capabilities or other benefits.
- Installed through an Internet browsing technique called “drive-by downloads.” In this technique, spyware is installed when a user simply visits a website. The user may be prompted to accept the download believing it is necessary in order to view the webpage.
- Prompted to install the program through pop-up windows that remain open, or download the software regardless of the action taken by the user.
- Automatically downloaded when users open or view unsolicited e-mail messages.
Risks associated with spyware/virus
Risks Associated with Spyware/Virus include:
- Exploiting security vulnerabilities or settings, changing the computer configuration to relax security settings or allowing a channel into your system by circumventing the firewall. The result is that attackers can eavesdrop and intercept sensitive communications by monitoring keystrokes, e-mail and Internet communications. This monitoring may lead to the compromise of sensitive information, including user IDs and passwords.
- Providing attackers the ability to control company computers to send unsolicited “junk” e-mail (SPAM) or malicious software (Malware), or to perform denial of service (DoS) attacks against other organizations.
- Draining system resources and productivity and consuming system resources, even when the user is not browsing the Internet, such as when adware results in voluminous unwanted pop-up advertisements.
- Compromising user’s ability to conduct business by disrupting Internet connections as a result of the improper removal of spyware.
- Increasing the incidence of SPAM to e-mail accounts.
- Compromising confidentiality. Certain types of spyware route all Internet communications through their own servers, often without the user's knowledge. This allows a third party to read sensitive Internet communications even when Secure Socket Layer (SSL) or other encryption protocols are used. Other forms of spyware install an application on the user's computer that monitors and records all Internet communications and sends the report back to the originator. Identity thieves may then impersonate the customer using the IDs and passwords collected.
- Increasing vulnerability to “Phishing” and “pharming” attacks, as some spyware can redirect Internet page requests. Phishing seeks to lure a user to a spoofed website using an e-mail that appears to come from a legitimate site. Pharming seeks to redirect a user to a spoofed website by introducing false data into a legitimate domain name server (DNS). The spoofed websites are set up to collect private customer information, such as account user IDs and passwords. In addition, objectionable or inappropriate information received by the customer from redirected websites can ultimately damage the financial institution's reputation.
- Installing and periodically updating anti-spyware, virus protection and firewall software.
- Carefully reading all End User Licensing Agreements and avoiding downloading software when licensing agreements are difficult to understand.
- Not opening e-mail from untrustworthy sources.
Where possible, end-user should take steps to restrict access to sites known to introduce spyware; restrict the ability to download unauthorized software from the Internet; block pop-up ads; block the common ports used to respond to spyware; and implement and monitor an effective anti-virus program. As an end-user, there are steps you can take to defend yourself. Here are a few tips:
- Keep your web browser set to at least a medium level of security (you can check this in Internet Explorer by clicking Tools, then Internet Options, then selecting the Security tab). Don’t allow active code to be run by your browser without your approval.
- Do not download any software unless you know it is from a reputable source. Free software that says it is “ad supported” may actually take control of your system. Check it out first.
- Ensure that browser settings are set to prompt the user whenever a website tries to install a new program or Active X control. Where possible, reject Active X controls to lessen the likelihood that spyware could be installed on computers through normal Internet browsing.