Whether you’re using your personal PC or typing away at work, you might decide to log into Facebook, access your e-banking account, or just send a confidential work email. Next thing you know, you’ve lost access to your account, your bank balance sits at $0, or sensitive company data has been leaked.
Your device was infected with a keylogger.
But what is this type of malware exactly?
What Is a Keylogger?
One of the oldest and most surefire ways hackers can steal your credentials or personal data is through keyloggers. A keylogger is a form of spyware that records everything you type using your computer or mobile keyboard.
The term “keylogger” is, as evident, derived from the malware’s function - logging keystrokes. The main purpose of keyloggers is to collect all types of valuable information from victims through keystroke monitoring - credit card information, login credentials, private correspondence, or any other type of sensitive data that you enter through your keyboard.
Unlike most malware and spyware, keyloggers didn’t come into being during the 1990s and 2000s, when hackers of old were just discovering how to harness the power of the internet and computers to nefarious ends. The first recorded use of a keylogger was actually during the peak of the Cold War.
In the 1970s, the Soviets planted electromechanical implants into IBM Selectric typewriters used by US diplomats in Moscow and Leningrad. The implants were so meticulously placed, stuffed on a metal bar that ran along the length of the copywriter, that they were practically impossible to detect.
These keyloggers evaded detection for a full eight years, after which their existence was finally tipped off by a US ally.
While modern keylogger malware doesn’t rely on electromechanical implants, its core way of functioning is pretty much the same. A keylogger is planted on a computer or smartphone, with the device’s owner being completely unaware they have an intruder in their system.
How Do Keyloggers Work?
So, what makes a keystroke logger tick, and how do they actually capture your keyboard strokes?
Let’s start off with how keyloggers latch onto your device.
Like most malware, a keylogger can enter your computer or phone in many ways. Keylogging software can be hidden within seemingly innocuous software or tools you download from the internet.
Of course, other traditional malware infiltration methods also work for keyloggers - phishing emails, social engineering, executables, and so forth. Lastly, your devices can get infected by connecting storage devices that have the keylogger on them, such as USB flash drives.
Lastly, some keyloggers might rely on old-school mechanical methods where someone embeds hardware within your PC to log keystrokes.
As we said before, these hardware keyloggers have been largely abandoned today except in high-stake situations, where cybercriminals might think the potential victim will be able to detect malicious software in their system.
Ok, now you know how keyloggers can get planted on your device. But how do they actually record keystrokes? The keys you press while typing aren’t normally recorded, meaning that obtaining keystroke input data isn’t as simple as copying over some system files. Instead, hackers develop specialized methods for fetching keyboard inputs. These include:
- Placing system hooks that intercept notifications that a certain key has been pressed.
- Sending information requests to the keyboard using WinAPI Get(Async)KeyState or GetKeyboardState.
- Creating specialized filter drivers.
Using system hooks is the most widespread method, largely because it requires the least expert coding knowledge. Some keylogger program creators might also use techniques that help their malware evade detection by antivirus programs. The two most commonly used techniques are masking in user mode and masking in kernel mode.
However, the vast majority of keyloggers found in the wild don’t use any type of stealth approach. This tells us that more advanced, handcrafted keyloggers are usually reserved for high-value targets. Using high-end keyloggers for low-profile targets would be a waste of resources from a hacker’s point of view.
Whichever method for collecting data they use, keyloggers usually create a small file that collects recorded keystroke information. The next thing keystroke software needs to do is send that data to the hacker. Again, there are multiple ways in which this can be achieved:
- Keystroke data is uploaded to a remote server or website
- Information is emailed to the hacker’s address
- The victim’s computer is accessed through remote control
The type of data captured through a keylogger isn’t a simple transcript of all button presses condensed in one file. Depending on the needs of the keylogger attack in question, the spyware might collect other forms of data as well. Some advanced types of keyloggers are practically full-on spying malware that can capture nearly all user activity.
Besides recorded keystroke data, keyloggers can capture:
- Screenshots at certain intervals or when some apps are used
- Activity metrics, showing what apps are used or which files/folders are opened
- Internet activity and browsing history
- Clipboard data - text copied to clipboard used during copy/paste commands
What Are Keyloggers Used For?
As you can imagine, keyloggers can be used for various ends. In most cases, the purpose of a keylogger is to bring some sort of financial benefit to its creator. The most obvious example is using keyloggers to steal financial information such as credit card numbers or bank account details.
Once that data is stolen, the hacker can use it for fraudulent purchases and transactions or sell off stolen information in bulk to third parties.
When it comes to stealing credentials, such as social media login data, this information can be used in many ways. This includes ID theft, impersonation to gain valuable information, scamming, and attacks on businesses.
Big corporations have always been considered prime targets by cybercriminals for a variety of reasons. Firstly, a keylogger attack on a business can be extremely lucrative - hackers can steal company funds, sell off confidential corporate secrets, or blackmail the company by threatening to release stolen information.
Secondly, a keylogger is often used to gain a foothold in a corporate network, usually by stealing credentials for admin access and building up from there. Once in the network, cybercriminals can make use of countless other forms of malware, from botnets and crypto miners to other spyware or Trojans.
Not all keylogger uses are necessarily illegal, although the ethic behind their application remains questionable. For example, some forms of keylogging software are used to keep tabs on employees in a corporate environment. This can be either to keep work quality and productivity at desired levels or to safeguard the network’s security.
Additionally, keyloggers are used in some parental control apps to monitor children’s online activity, feeding parents with information straight from the child’s private correspondences. Again, the ethical side of such use of keyloggers, especially if the child is unaware of it, remains dubious, to say the least.
Besides corporate keylogging and parental controls, a keyboard tracker might be used in various spouse/partner-spying applications too, which obviously more than verges on the privacy-intrusive side of things. On top of that, some massively used apps, like the grammar and spelling checker Grammarly, act as a keylogger of sorts, too.
How To Detect and Remove Keyloggers
If all this talk about keyloggers and their capabilities has got you worried about the safety of your own devices, follow these few simple steps to make sure your computer or smartphone is spyware-free.
1. Keep your antivirus software updated and run regular scans.
Following conventional wisdom is often the most effective advice you can get. As such, getting a top-class antivirus solution and keeping it updated is key to keylogger detection and removal. Additionally, you should regularly run deep scans to potentially discover any spyware that might have slipped through the net.
2. Check active processes and resource allocation.
Keyloggers, by and large, run as active (but potentially well hidden) processes in the background. Thus, one way of discovering a keylogger hack is by checking your system’s active processes.
On Windows, you can see a list of processes running in the Task Manager, which can be accessed by pressing Ctrl + Alt + Del. Once there, look for suspicious processes you don’t recognize and can’t tie to legit applications or standard system activity. In a business environment, good network monitoring software could help reveal keyloggers.
On top of that, you might want to see whether any processes are using more system power (RAM or CPU) than they should. Increased resource usage could be a telltale sign of keylogger activity.
3. Be careful with external devices.
One of the most common ways to get any type of malware, including keyloggers, is through infected external devices. Things like USB flash drives, portable hard drives, or connecting any other device like a smartphone could get a keylogger into your system.
Therefore, to prevent a keylogger attack, it’s a good idea to scan and/or format external hardware. This should both decrease the chances of a keylogger latching onto your system, and generally improve your anti-malware defenses.
4. Improve your password management and add authentication.
While this piece of advice doesn’t relate to detecting/removing keyloggers directly, it does present a great way to mitigate possible consequences of keylogger attacks. Since a fair chunk of keyloggers try to scoop up some of the many passwords you use, you should try and improve your general password management.
First, you might want to start using a robust password manager to help protect your important credentials. Password managers always come with an autofill feature that removes the need for you to type in passwords when logging onto various services or sites.
Since keyloggers track keystrokes, using autofill can greatly reduce the number of passwords that end up compromised.
However, many keyloggers don’t rely on just logging key presses - they steal a whole breadth of data, all of which could help them unearth your passwords. Additionally, keyloggers are often part of a wider attack, accompanied by other malware. If this is the case (and you’re already infected), using a password manager won’t help much.
Handling Hardware Keyloggers
Unlike software keyloggers, hardware-based spyware is much, much harder to detect. Practically, the only way to detect a keylogger that has been hardware-installed on your device is when you notice that some of your credentials have been compromised. Otherwise, there’s practically no way to see them with the naked eye - which is pretty much their point.
Luckily, hardware keyloggers are very rare. First of all, they’re mostly used in high-stake attacks, meaning most regular users are safe from them. Secondly, it requires someone to have physical access to your device to actually install the keylogger.
In case you have a reason to believe a hardware keylogger is on your device, you need to take your device to a specialized device repair shop to have it checked.
Keyloggers are still a very active threat. In a world where we handle an ever-increasing number of social media accounts, payment portals, and online services, our usernames and passwords become increasingly valuable. This especially rings true when it comes to services such as Gmail, which is tied to a bunch of sites and other services we use every day.
Businesses and large corporations also have to fend off a huge number of cyberattacks every year, including keygen malware. As such, they have to invest heavily in cybersecurity and teach their employees how to avoid falling for the usual tactics hackers employ.
Things are not hopeless, however - far from it. By educating yourself on how keyloggers and other malware function, and by following advice on how to protect yourself from these attacks, you greatly reduce the chances of falling prey to them.
One of the most well-known examples of a keylogger attack was the Anthem breach in 2015. Through a keylogger, attackers stole 80 million records from Anthem Inc., a popular US healthcare provider. The keylogger Trojan was planted through a phishing email.
Keyloggers are mainly used to conduct cyberattacks to steal things like credit card numbers, personal data, login credentials, private correspondences, and more.
You can remove them through anti-keylogger and anti-rootkit software, or by wiping infected storage devices.
Not all keyloggers are illegal. They’re often used legally for employee tracking and to maintain IT security. If you installed a keylogger on your device on purpose or consented to a keylogger being installed, its use is completely legal.
Your email address will not be published.*