The H.A.C.K.E.R. Project

There are many different ways in which cybercriminals and hackers try to steal our personal information. Some try to trick us into giving up our information through phishing emails, while others might try to lock down our computers with ransomware. In addition to these and myriad other types of attacks, there is another method to stealing data that is just as dangerous but is generally much more discrete: a keystroke logger, or keylogger for short.

This short video, produced by Malwarebytes, goes over the basics of a keystroke logger and how to stay safe.

What is a Keylogger?

A keylogger is, simply put, “a type of cyber threat that records the keys struck on a keyboard” (McAfee). After recording everything you type on the keyboard, a keylogger will take “the information and [send] it to a hacker” (Fortinet). At first, you may be wondering what a hacker can gain from knowing everything you have typed on your keyboard. First and foremost, keyloggers “can capture virtually every type of information entered through a keyboard; this includes but is not limited to email correspondence, instant messages, documents, and web forms”, but more importantly, a keylogger can capture usernames, passwords, email addresses, and payment information (McAfee). This information, once received by the hacker, can be used to access your accounts, steal your information or money, and even impersonate you.

This is why keyloggers are often referred to as a type of spyware, which is a type of malware meant to, as the name implies, spy on the infected device. Beyond simply capturing the keys you type on the keyboard, some “keyloggers can also enable cybercriminals to eavesdrop on you, watch you on your system camera, … listen over your smartphone’s microphone… record the web pages you view, [or] grab on to your sent emails and any instant messaging session” (Malwarebytes). Usually, once a keylogger records keystrokes, screenshots, audio or other data, this data is “then automatically transferred to the hacker that set up the keylogger. This is done using a remote server that both the keylogger software and the hacker are connected to” (Fortinet). A remote server is a device that the keylogger sends data to, similar to a regular computer; once the data is on the server, the hacker can access it whenever they desire. Thus, it is hard to prevent a hacker from obtaining data from a keylogger without either removing the keylogger or preventing it from connecting to its remote server. Once the hacker has this data, they can “analyzes the keystrokes to locate usernames and passwords and uses them to hack into otherwise secure systems” (Fortinet).

It is important to note, however, that keyloggers “are not always illegal to install and use” (Malwarebytes). In fact, some keyloggers are utilized specifically as a cybersecurity tool. In some companies, “IT departments use [keyloggers] to troubleshoot technical problems on their systems and networks—or to keep an eye on employees surreptitiously. The same goes for, say, parents, who want to monitor their children’s activities” (Malwarebytes). This is why cybersecurity experts recommend to only use your work computers or phones for work purposes; you never know what data might be collected and observed by your company’s IT team.

Types of Keyloggers

While the capabilities of what a keylogger does can differ, they all, at the least, log keystrokes. Some keyloggers are meant to infect computers and laptops, while others target phones, tablets, and other touchscreen devices. The main two categories of keylogger, however, are software keyloggers and hardware keyloggers.

Software Keyloggers

A software keylogger has “to be installed on a computer to steal keystroke data. They are the most common method hackers use to access a user’s keystrokes” (Fortinet). This is because a software keylogger is “much easier to introduce to and install on victims’ devices” (Malwarebytes). As long as the hacker can trick an unsuspecting user into installing a keylogger, the hacker will be able to obtain the data they desire. On a technical level, a software keylogger works “by functioning at the kernel level of an Operating System (OS). This means they intercept signals sent from the keyboard to the OS, capturing all information typed on the keyboard” (McAfee).

Software keyloggers infect machines much like any other type of malware. For example, a keylogger may be installed “when the user downloads an infected application” (Fortinet). In addition, a software keylogger could be installed “when you click on a file attachment that you’ve been duped into opening—most commonly because you fell for a social engineering scheme or a cleverly designed phishing expedition” (Malwarebytes). Thus, by maintaining good cybersecurity and cyber hygiene practices, you have a good chance at avoiding infection from a keylogger.

It is also important to note that phones can also fall victim to keyloggers, despite many believing that their phones are more secure than their computers. In terms of keyloggers, “there are no known hardware keyloggers for mobile phones. But both Androids and iPhones are still vulnerable to software keyloggers” (Malwarebytes). A software keylogger can be installed on a phone the same way that it would be installed on a computer. In some cases, however, having a keylogger on your phone can be more dangerous and compromising than having one on your computer; “once the keylogger infects the smartphone, it monitors more than just keyboard activity. Screen shots (of emails, texts, login pages, etc.), the phone’s camera, the microphone, connected printers, and network traffic are all fair game for the keylogger. It can even block your ability to go to particular websites” (Malwarebytes).

Hardware Keyloggers

The other type of keylogger is a hardware keylogger. While a hardware keylogger “works much like its software counterpart” there is one huge difference: “hardware keyloggers have to be physically connected to the target computer to record the user’s keystrokes”, just like how you can plug a USB drive into your computer in order to store data on it (Fortinet). Thus, it is much harder to install a hardware keylogger than a software keylogger; “for this reason, it is important for an organization to carefully monitor who has access to the network and the devices connected to it” (Fortinet). Generally speaking, since “hardware keyloggers require physical access to the computer, they are often used in targeted attacks where the criminal has some access to the victim’s premises, for example, in office spaces” (McAfee). By only allowing authorized individuals around company devices, the risk of being infected with a hardware keylogger can decrease significantly. If “an unauthorized individual is allowed to use a device on the network, they could install a hardware keylogger that may run undetected until it has already collected sensitive information” (Fortinet). In addition, it is possible for someone who has proper authorization- such as an IT person or manager- to install a keylogger on a company device. Thus, proper policies and controls must be put into place to handle these sorts of attacks from within the company itself.

Furthermore, “their physical presence makes them easier to detect” and they tend to be easier to remove (McAfee). There are two types of hardware keyloggers that Malwarebytes identifies. The first is a device that “can be embedded in the internal PC hardware itself”, while the second is “an inconspicuous plugin that’s secretly inserted into the keyboard port between the CPU box and the keyboard cable so that it intercepts all the signals as you type”. If the keylogger is embedded into the internal hardware of your computer, it will likely have to be taken apart in order to remove. If the keylogger is attached to your keyboard or USB ports, however, it is much easier to remove since it can simply be unplugged.

How to Detect A Keylogger

Unfortunately, “detection and removal of keyloggers can be a challenging task due to their covert nature, but it’s not impossible” (McAfee). Keyloggers are often configured to be difficult to find and just as difficult to remove; after all, they would not be useful to a hacker if they were easily discovered. Fortunately, there are some ways that you might be able to determine if you are infected with a keylogger.

Fortinet states that the “simplest way to detect a keylogger is to check your task manager. Here, you can see which processes are running. It can be tough to know which ones are legitimate and which could be caused by keyloggers, but you can differentiate the safe processes from the threats by looking at each process up on the internet”. In addition, “[a]nother good place to look for keyloggers is under the Startup tab. Keyloggers get set up to run all the time on a computer, and to do that, they need to be started up with the operating system” (Fortinet). The task manager is a useful menu that can show what applications are running on your computer as well as how much of the computer’s resources are being used up by a given application. The startup tab is, generally, a list of applications that begin running as soon as the computer is powered on. Users are able to modify this list to have certain applications or programs start up as soon as possible when they log onto their machine. Checking these two places are a good start to checking your computer for a keylogger, but this can be complicated for those unfamiliar with using the task manager or startup menu. If you are concerned that your device has a keylogger installed and you do not feel comfortable trying to find and navigate these menus, contact an IT or computer security service and have an IT professional take a look at your device.

Malwarebytes identifies ways in which low quality keyloggers might accidentally reveal themselves, as well as the ways in which high quality keyloggers are able to stay hidden:

Keyloggers of poorer quality (such as the malware variety) might reveal themselves in a number of ways. The software might subtly degrade smartphone screenshots to a noticeable degree. On all devices, there could be a slowdown in web browsing performance. Or there’s a distinct lag in your mouse movement or keystrokes, or what you are actually typing doesn’t show up onscreen. You might even get an error message when loading graphics or web pages. All in all, something just seems “off.”

The well-designed commercial grade of keylogger usually works flawlessly, so it does not affect system performance at all. If the keylogger is sending reports to a remote operator, it disguises itself as normal files or traffic. Some of the programs will even display a notice on the screen that the system is being monitored—such as in a corporate computing environment. Others can reinstall themselves if users somehow succeed in finding them and attempt to remove them.

Of course, the best way to protect yourself and your equipment from falling victim to keyloggers is to scan your system regularly with a quality cybersecurity program.

Malwarebytes

How to Stay Safe from Keyloggers

Fortunately, while detecting a keylogger is difficult, protecting yourself from one is easier. As stated by McAfee, “Prevention is always better than cure, especially when dealing with cybersecurity threats like keyloggers. One of the most effective ways to prevent keyloggers is through practicing safe online habits”. In addition, Malwarebytes states that staying safe “starts with keeping your operating system, your applications, and web browsers up to date with the latest security patches. Always be skeptical about any attachments you receive, especially unexpected ones even if they seem to come from someone you know. When in doubt, contact the sender to ask. Keep your passwords long and complex, and avoid using the same one for different services” (Malwarebytes).

Fortinet recommends using “a high-quality antivirus or firewall” as the best way to protect yourself from a keylogger. In addition, “[f]or online protection, consider using a secure browser and a virtual private network (VPN), especially when connecting to public Wi-Fi. This helps to encrypt your online activities, making it harder for keyloggers to capture your data” (McAfee). Finally, a great way to increase your security is to “use multi-factor authentication (MFA) when you have the option. A keylogger may deduce your password, but the second phase of the authentication process may deter them” (Fortinet). Through following the above steps, you will not only protect yourself from keyloggers, but also from other types of malware as well.

Resources & Further Reading

Fortinet. “A Complete Guide on Keyloggers.” Fortinet, Fortinet, Inc., www.fortinet.com/resources/cyberglossary/what-is-keyloggers.

Malwarebytes. “Keyloggers – How Keyloggers Work & How to Detect?” Malwarebytes, Malwarebytes, www.malwarebytes.com/keylogger.

McAfee. “What Is a Keylogger?” McAfee, McAfee LLC, 6 Dec. 2022, www.mcafee.com/learn/what-is-a-keylogger/.