ITU Offers Information on Spyware and Computer Scams

Posted: October 6, 2004 at 1:00 am, Last Updated: November 30, -0001 at 12:00 am

By Kurt Ankeny-Beauchamp

Recent television ads and awareness campaigns show that the Internet is a powerful tool for people looking to defraud and steal from others, and this type of computer abuse is increasing. Some of the problems involve “spyware” and “phishing.”

George Mason employee Susan Stockwell, director of administrative services for the Information Technology Unit (ITU), found out firsthand how invasive spyware can be when she attended a class presented by Cathy Hubbs, IT security coordinator. After the class, Stockwell tried out her new knowledge on her office computer and found a “Trojan horse,” a program that allows hackers back-door access to a computer. She then went home and tested her home computer. She found seven more Trojans lurking there.

“I have teenagers, so our family gets into everything online,” she says. Stockwell’s experience is not unique. Many people are finding that their computers are being redirected or appropriated for hackers’ ends.

“Spyware” is Internet jargon for advertising supported software, or adware, Hubbs explains. Applications such as freeware, shareware, cookies, and other Internet goodies may contain spyware. Spyware is a small program, usually embedded in a larger application, which allows the developers of the applications to collect and disseminate information about the machine the spyware is installed on and the individuals using it. Spyware can track web surfing habits, profile shopping preferences, hijack a user’s browser’s start page (home page) by redirecting it to another web page, and alter important system files. Spyware can also transmit information such as keystrokes, passwords, and personal information from a PC to a remote location. All of these activities can be done without the PC owner’s knowledge.

Spyware is not regulated by legislation. “However, the increasing practice of tracking and sending data and statistics via a secret program installed on a user’s PC and the unauthorized use of the user’s Internet connection make users uncomfortable with the potential for abuse,” Hubbs notes. While legitimate adware companies will disclose in their privacy statements the nature of data that is collected and transmitted and will collect data to refine the marketing of their products, user’s have little control over what data is being sent.

At George Mason, options for fighting spyware are limited to removal and preventive education, says Hubbs. The university is part of a cooperative group of universities and institutions across the nation that monitors these types of programs, but legal action is limited to damages done once data has been stolen and used for illegal purposes. However, the fact that the perpetrators are extremely difficult to track down limits even this course of action. “The best policy is to prevent the installation of this software in the first place,” Hubbs advises.

One way is to read the End User License Agreements and Privacy Statements thoroughly before installing software on your computer. The agreement will let you know if the software you’re about to install may contain software that will monitor your computer’s activity. However, this only applies if the software comes from a legitimate company. “Much of the spyware is installed without you knowing about it,” Hubbs warns.

Fortunately, there are a number of inexpensive and free software applications available to help computer users search for and remove suspected spyware programs. These scanning and removal tools are modeled after antivirus software, which is primarily reactive, but if scans for spyware are conducted on a regular basis, “they can be an effective tool to combat leaks of your personal information,” says Hubbs. Information on spyware removal tools is available here.

“Phishing” is a scam in which a fraudulent e-mail looks legitimate, Hubbs explains. These e-mails appear to be from a well-known company such as Citibank, Wells Fargo, or eBay, and ask for an update or confirmation of personal data, such as an account number, PIN, or password. The bait e-mail usually combines a legitimate looking format using logos, graphics, and a matching web page with language that conveys urgency or paints a threatening condition. The message often includes instructions on how to log in to a web site with a link provided. Clicking any link in a suspect e-mail can initiate installation of keystroke-logging software or viruses that can log the data that phishers are looking for next time you visit your bank’s web site.

“Legitimate companies will never ask you to confirm your information through an e-mail,” says Hubbs. If you receive such a message from a company you do business with, the best policy is to avoid the links in the e-mail and browse that company’s web site on your own. Or, you can call a customer service agent to find out if the e-mail is legitimate.

Hubbs offers some basic online safety tips for dealing with phishing and spyware:

  • Don’t open suspicious e-mails or click on links in those e-mails.

  • Don’t provide sensitive information via e-mail. Call the requesting company and verify the legitimacy of the request.

  • Keep antivirus software installed and current.

  • Keep your operating system (Windows XP, OSX) and applications patched.

  • Use anti-spyware/adware software.

  • Use a firewall.

Hubbs will present a course on ID theft and spyware as part of a DoIT Dialogue on Thursday, Dec. 2, in Innovation Hall, Room 419. Registration is optional, but you can find out more here. For other information, see the IT Security web site.

Write to at