Commercial spyware firm ordered to clean up its act

Long term readers of the Clu-blog will recall the case of CyberSpy, the Florida firm that marketed a spyware program to those who wished to “spy on anyone, from anywhere”.

CyberSpy was ordered to stop selling (and then allowed again) its RemoteSpy keylogging program, which made it simple for people to snoop on remote PCs without the knowledge of their true owners.

RemoteSpy website

When innocent internet users clicked on the disguised file, the RemoteSpy code would install itself silently onto the victims’ computer, monitoring every keystroke, email and instant message, and making a record of every website visited. I’m sure many of you can imagine why that may not be what you want to happen to your PC.

Sign up to our free newsletter.
Security news, advice, and tips.

Well, it looks like the battle between the US Federal Trade Commission and CyberSpy is finally over – with a win for the feds, who have ordered the Orlando-based company to rewrite its keylogging software, and change the way it markets its product.

In summary:

  • CyberSpy will no longer be able to advertise that their spyware can be be disguised and installed on someone else’s computer without the owner’s knowledge.
  • The software has to now notify the user that the program has been downloaded, and ask for permission from the computer owner that the software can be installed.
  • The company can no longer provide purchasers with the means to disguise the product. (In the past, an invisible installer for RemoteSpy could be installed onto a victim’s computer by disguising it as an innocuous file, such as a photo, and sent as an email attachment)
  • CyberSpy will be required to inform their customers that improper use of the software may break the law.
  • CyberSpy must ensure that any data it collects from a computer is encrypted before being transmitted across the internet.
  • The company must remove legacy versions of its software from computers on which it was previously installed. I wonder how that’s going to be handled? Could be quite a challenge..
  • Finally, CyberSpy has been told that it must police its affiliates to ensure that they also comply with the order. That’s an important element, as we see plenty of dubious software packages being promoted unethically or illegally in exchange for a few dollars worth of commission.

CyberSpy, of course, isn’t the only business working in this apparent “grey” area between legitimate and illegitimate software. Often the products are marketed as a way for wives to spy on philandering husbands, or for concerned parents to keep an eye on what their babysitter is up to, rather than more traditional identity theft – but it’s clear that they can be used with a wide variety of motives.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.