the staff of the Ridgewood blog
What is Spyware?
Spyware refers to malicious software often used to monitor, capture, and share detail information from computers, phones, or other devices. It can collect emails, social media posts, call logs, messages on encrypted chat apps, contacts, usernames and passwords, notes, and documents such as photos, videos, and audio recordings. It can also collect GPS information to determine a user’s location, movement, and direction. Some spyware can also activate microphones and cameras as well as deliver files without any indicators or notifications to users. Spyware can be simple or sophisticated and rely on security weaknesses or unpatched software vulnerabilities. Although device and file encryption are recommended, it cannot assist in preventing spyware activity because once the encrypted message is delivered to the device, it is decrypted and made readable by both the user and the spyware.
The NSO Group is an Israeli firm and worldwide leader in cybersurveillance. Its Pegasus spyware is installed via SMS, WhatsApp, iMessage, or an unknown vulnerability. It sends a link to the target smartphone to tap and activate, or it activates itself without any input or notification through a “zero-click” exploit that takes advantage of a vulnerability. The spyware secretly captures, extracts, and tracks information, including messages, photos and videos, contacts, calendars, chats, and GPS data. It can also record calls, and secretly activate microphones and cameras. In 2016, a hacking group reportedly sold the highly sophisticated Pegasus spyware to governments and delivered it to mobile devices through critical vulnerabilities in iPhones. Almost a year later, the NSO Group created Chrysaor to target and download the spyware on Android devices.
Image Source: The Guardian
The recent collaborative investigation of the NSO Group, known as the Pegasus Project, exposed widespread, persistent, and ongoing unlawful surveillance using the Pegasus spyware, resulting in successful hacks of Android and iPhone devices. Targets are reportedly politicians, government officials, journalists, human rights activists, and business executives. Furthermore, in response to Pegasus sending information to a service fronted by Amazon CloudFront, Amazon Web Services (AWS) shut down infrastructure and accounts associated with NSO Group since legitimate infrastructure providers may be abused and lead to compromise or fraud.
The Amnesty International Security Lab provides technical details, indicators of compromise (IOCs) on GitHub, and has released a Mobile Verification Toolkit (MVT) to identify potential traces of compromise. Although the MVT works on both Android and iPhone devices, more forensic traces were found on iPhone devices.
Additionally, the NJCCIC offers individuals and organizations information and resources for cybersecurity best practices and implementing preventive measures to help protect themselves from cyber incidents. Other best practices include the NJ Statewide Information Security Manual (SISM), which provides effective management of risk and ensures the confidentiality, integrity, and availability of information and information systems.
The NJCCIC recommends users maintain awareness of cyber threats and take proactive steps to help protect themselves and reduce victimization.
Implement a comprehensive vendor management program: Organizations may consider implementing a comprehensive vendor management program, beginning with audits of all current vendors. Prior to implementing new hardware or software products into a production environment, fully vet the product to ensure it works as expected in a test environment. Establish security controls and regularly audit vendor access to your networks, systems, and sensitive data.
Use unique, complex passwords for all accounts: Unique passwords for each account prevent password reuse attacks, in which threat actors obtain your password for one account and use it to compromise an additional account using the same credentials.
Refrain from sharing login credentials or other sensitive information: Login credentials and other sensitive information should not be shared with anyone, posted in plain view, or saved on your computer or other platforms.
Enable multi-factor authentication (MFA) where available: MFA is the use of two or more factors to authenticate to an account or service. This significantly reduces the risk of account compromise via credential theft in which your password has been exposed. Although MFA is an additional step to authenticate, it is an important one—not only to protect an individual account, but also the community at large.
Exercise caution with communications: Refrain from clicking on links or attachments or divulging sensitive information via phone, text messaging, or email without verifying the requestor via a separate means of communication before taking any action.
Navigate directly to websites: Navigate directly to authentic or official websites by typing the legitimate URL into the browser instead of clicking on links in messages, and refrain from entering login credentials on websites visited via links delivered in messages.
Use secure websites: When sharing personal or financial information, ensure you are using verified, secure, and encrypted websites.
Change the default password: Default passwords for accounts/devices can be used to gain unauthorized access.
Update passwords immediately following a data breach or potential compromise: Use a resource, such as haveibeenpwned.com, to determine if your information, such as an account password, has been revealed in a public data breach. Change exposed passwords for every account that uses it to protect against account compromise.
Use reputable apps: Download and install apps from legitimate developers/companies through official app stores and after analyzing customer reviews.
Check and configure privacy and security settings: Check these settings to help manage your cyber risk and limit how and with whom you share information. Use the NJCCIC instructional guides for Android, Facebook, Google, Instagram, and Twitter, and configure similar settings on all other social media sites. Information on how to access privacy settings for additional popular devices and online services can be found on the National Cybersecurity Alliance webpage.
Reduce your digital footprint: Minimize your online presence and PII exposure, and exercise caution when uploading sensitive PII or other information to websites, applications, or social media.
Value and protect your information: Make informed decisions about sharing your data with certain individuals, businesses, services, and apps.
Conduct frequent searches and remove personal data: Conduct searches for personal data and remove any tags for photos of you and your family on social media. Contact connections to remove personal data about you and your family. Utilize Michael Bazzell’s Extreme Privacy guide to remove personal data from the internet, which includes submitting opt-out/removal requests for public record or ‘people search’ websites where your information is readily accessible.
Deactivate or delete accounts that are no longer in use: Deactivate or permanently delete any social media or online account that is no longer in use. Sites such as https://justdelete[.]me provide instruction on how to remove information and delete accounts for numerous online and social media sites.
Lock screens: When stepping away from your computer or device, the manual lock function helps to protect the information stored on or accessible from your computer. Also, check security settings or policies to automatically lock screens after inactivity.
Secure physical devices: Safeguard devices and ensure a password/passcode or an additional authentication factor is enabled for all devices to prevent unauthorized access in the event a device is lost or stolen, or USB or external device is inserted.
Keep devices up to date: Stay informed about publicly-disclosed vulnerabilities and update devices—including firmware—to the latest version to ensure they are patched against known vulnerabilities that could be exploited by threat actors to gain unauthorized access to your device and/or data. If a device is unable to receive updates from the vendor, consider not purchasing or discontinuing use of the device.
Monitor and report any suspicious activity: Monitor all personal and financial accounts (including banking and credit institutions) and report any suspicious activity or fraudulent charges immediately. Additionally, report malicious cyber activity to the NJCCIC via the Cyber Incident Report form.