What is a Keylogger? Hackers Could Be Stealing Your Passwords

What is a Keylogger?

A keylogger is a type of spyware that monitors and records user keystrokes. They allow cybercriminals to read anything a victim is typing into their keyboard, including private data like passwords, account numbers, and credit card numbers.

Some forms of keyloggers can do more than steal keyboard strokes. They can read data copied to the clipboard and take screenshots of the user's screen - on PCs, Macs, iPhones, and Android devices.

Keyloggers are not always the sole threat in cyberattacks. They're often just a single component of a multi-variable cyberattack sequence like a botnet attack, ransomware attack, or cryptocurrency mining attack.

Many victims are unaware that they're being monitored by keyloggers and continue to divulge sensitive information to cybercriminals.

To learn how to detect keyloggers and prevent their covert installation, read on.

Is Keylogging Illegal in the US?

Any unauthorized access of personal information on a computer is a criminal offense under US State and Federal Laws. This includes access achieved by keylogging software.

Because keylogging could be classified as a breach of the Electronic Communications Privacy Act (ECPA), offenders could face up to 5 years in prison and fines up to $250,000.

But not all instances of keylogging are illegal. Here are some examples of legal use cases of keylogging:

  • Troubleshooting - IT departments collect user input commands to help them accurately resolve computer issues.
  • Insider Threat Detection - Companies monitoring for intentional cybersecurity breaches by employees.
  • Public Safety - Companies monitoring for any unethical activity on their devices.
  • Research and Development - The permissible collection of user information to inform product improvement efforts. Unsurprisingly, such forced market research isn't likely to be received well - as demonstrated by the controversial inclusion of keyloggers in Microsoft's Windows 10.
  • Sensitive Resource Security - Monitoring for any unauthorized access attempts.
  • Law Enforcement - Law enforcement agencies use keyloggers to monitor criminal activity.

Determining whether or not keylogging sessions are legal isn't as easy as checking for user consent. Unfortunately, not all regions mirror the strict keylogging laws in the U.S.

A better indication of legality is to also consider the objectives of the keylogger and the ownership of the product being monitored.

The following 3-question framework for keylogger legality considers all of these factors.

  1. Did the user offer consent? - If yes, was clear messaging used to ensure the user was aware that they gave consent?
  2. Who owns the product being monitored? - Is the device personal or owned by a company?
  3. What are the objectives of the keylogging sessions? - Is the software used to steal or access sensitive user data?

That being said, the majority of keylogger use cases are illegal. If you detect keylogger software on your system, it has likely been surreptitiously installed by cybercriminals to steal your sensitive data.

Are Keylogging Attacks Increasing?

Yes, they are. Particularly within the financial sector. In 2018, cybersecurity company, Lastline, discovered an unusually high number of keylogging malware among financial firms.

This trend harmonizes with the findings from the 2021 X-Force Threat Intelligence Index by IBM. From all the server access attacks observed by X-Force in 2020, nearly 36% targeted the finance and insurance sector.

It appears that cybercriminals are adding keyloggers to their cyberattack toolkit to maximize compromise potential, which further highlights the importance of resilient cybersecurity in the financial sector.

How Does a Keylogging Cyberattack Work?

The process of a keylogging cyberattack depends on the type of keylogger being used.

There are two different types of keyloggers - software keyloggers and hardware keyloggers. The primary difference between the two is the method of keylogger software installation.

Software Keyloggers

This is the most common type of keylogger because it's the most efficient for rapid and large-scale distribution by cybercriminals.

Software keyloggers are commonly installed through phishing or social engineering attacks.

During these attacks, a victim is presented with a seemingly innocent email that's infected with either malicious links or attachments. Interacting with any of these items initiates a clandestine keylogger installation sequence.

Here's an example of a phishing email scam from hackers posing as the World Health Organization. To the unsuspecting eye, this email seems legitimate, but its attachment is infected with the malicious software GuLoader - a Trojan for stealing sensitive data including keystrokes.

A phishing email posing as a message from the World Health Organization - Source: malwarebytes.com
A phishing email posing as a message from the World Health Organization - Source: malwarebytes.com

Keylogger spyware can also be hidden within compromised websites. In 2018, the online office suite Zoho was forced to suspend many of its .com and .eu domains after they were found to host keylogger phishing campaigns.

Keylogging software has two primary components:

  • A Dynamic Link Library (DLL) file
  • An executable file

The executable file installs the DLL file and initiates it. Once triggered, the DLL file records user keystrokes and sends the data to the cybercriminal's servers.

Once a software keylogger has been installed, it can be used for any of the following types of cyberattacks:

  • Kernel Keylogger Attacks  - Kernel mode keyloggers are the most common type of keylogging software and they're also the hardest to detect. Kernel keyloggers use filter drivers to intercept privileged access credentials.
  • "Form Grabbing" Keylogger Attacks - These keyloggers work by intercepting data submitted into a website form before it's transmitted to the webserver.
  • API-Based keylogger Attacks - During these attacks, a keylogger is positioned at the Application Programming Interface (API) to intercept keyboard strokes sent to a targeted software.
  • Malware Infected Mobile Apps  - During this attack, mobile apps infected with keylogging malware are published into app stores as a free download. In 2017, Google removed 145 android apps infected with keylogger malware from its Play Store.

Hardware Keyloggers

Hardware keyloggers are physically connected to a targeted device. These attacks require cybercriminals to either physically handle targeted devices, though some can intercept keystrokes without a hardware connection.

Some examples of hardware keylogger cyberattacks are listed below.

  • USB Keylogger Attacks - During this attack, a USB is connected to a targeted system to deploy keylogger hardware. Social engineering tactics, such as the Trojan Horse, are usually used to convince victims to connect infected USBs.
  • Keyboard Hardware Keylogger Attacks - When a keylogger is physically built into a keyboard connection or within its keyboard software. This type of attack might seem highly unlikely but it does happen. In 2017, hundreds of HP laptops were shipped to customers with their touchpad drivers infected with keylogging code.
  • Hidden Camera Keylogger Attack - This type of attack does not require a physical connection to the target device. Hidden cameras are strategically positioned near victims to capture their keystrokes.

Top Best Methods For Detecting and Remove Keyloggers

To mitigate the harmful impact of keyloggers, they need to be detected and removed rapidly. This isn't always easy given the covert methods of keylogger injection and activation.

The following strategies intercept the common attack pathways of keyloggers to aid in their rapid detection and removal.

1. Use Anti-Keylogger Software

Not only does anti-keylogger software encrypt keystrokes, it also utilizes signature-based detection to assess all file injections against a database of known keylogger software.

Some anti-keylogger software also monitor common injection points for kernel keyloggers within the RAM ecosystem.

These capabilities make anti-keylogging software one of the most targeted methods for discovering keyloggers.

2. Monitor Resource Allocation and Background Processes

Check task manager for any software programs or background processes you do not recognize. Keyloggers usually require root access so be sure to monitor programs running on root privileges.

Highly-complex keyloggers, such as Kernel Keyloggers, cannot be detected through the task manager because they hide behind legitimate processes. These keyloggers are best detected with anti-keylogger software.

3. Regularly Update Antivirus and Anti-Rootkit Software

Because keyloggers tend to be just one component of a multi-pronged attack, antivirus programs and anti-rootkit software could block the types of malware commonly used in wider cyberattacks that include keystroke theft.

Rootkit technology makes it possible for keyloggers to hide behind legitimate computer processes, helping them evade detection by antivirus software. This is why the use of anti-virus software in a keylogger detection strategy should always be coupled with an anti-rootkit solution.

4. Look For Delays or Disturbances in Input Fields

A delay between keystrokes and the corresponding display of characters in a web page text field could be indicative of a keylogger utilizing the bandwidth of a data input pathway.

How to Protect Your Business From Keyloggers

You can minimize the chances of Keylogger injection by following these best cybersecurity practices.

1. User a Virtual Keyboard

Virtual keyboards are onscreen keyboards that accept user commands instead of a physical keyboard. Because the processes behind their information input are very different from physical keyboards, virtual keyboard commands are much harder to intercept with keyloggers.

This is why virtual keyboards are highly recommended for increasing login security for financial services.

2. Prevent Files and Applications from Self-Running

Disabling self-running files could prevent hardware keylogger attacks. USBs loaded with keyloggers depend upon this automatic initiation feature to instantly deliver their keystroke logger malware once connected.

3. Use Multi-Factor Authentication

A strong password policy with multi-factor authentication is a form of access control which could prevent cybercriminals from accessing sensitive resources even if they have the keylogger records for passwords.

This is because, with multi-factor authentication, a user's password is only a single component of an access chain. Without the supporting authentication codes, login credentials alone are almost useless.

A password manager will further strengthen a password policy by generating complex passwords and preventing password recycling.

4. Be Skeptical of All Messages

Always be skeptical of messages received via all channels. This includes emails, text messages to mobile devices and even social media inquiries.

If anything seems too suspicious, always confirm legitimacy by contacting the sender directly via a separate new message.

5. Keep Anti-Spyware Updated

Up-to-date anti-spyware software and antivirus software is capable of detecting the latest keystroke logging threats across most operating systems.

6. Ensure Your Wireless Keyboard Signals are Encrypted

Wireless keyboards using unencrypted radios communication protocols can be intercepted by remote keyloggers located up to several hundred feet away. Make sure all of your wireless keyboards utilize encrypted Bluetooth technology.

7. Educate Staff

Employees are the most common attack vectors in every cybersecurity program. Teach staff about the use of keyloggers and how to identify the cyber threats that facilitate their injection.

8. Use a VPN and a Firewall and Keep Them Updated

VPNs and firewalls could detect and block attempts to install malware into your ecosystem. Like antivirus software, VPNs must be kept updated so that they can detect the latest keylogger threats.

9. Monitor Your Entire Attack Surface for Vulnerabilities

Keylogger attackers rely on digital vulnerabilities to inject their malware. But because the digital landscape is so vast and still expanding, it's almost impossible to address them all manually.

Attack surface monitoring software is capable of scanning vulnerabilities across both  internal and entire third-party vendor attack surface that could facilitate keylogger injections.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?