What is a Keylogger and Key Stroke Logging?

Introduction

Do you heed the warnings at ATMs or gas pumps recommending you shield the keypad as you type in your PIN? If not, you should. It’s not because the person next to you may be watching (although that’s always a possibility). Cyber criminals can place hidden cameras in public areas to record your keystrokes and steal your credentials and your money. That’s just one example of a type of keylogger and how keystroke logging is accomplished.

In this blog, we’ll take an in-depth look at keyloggers and keystroke logging, including how they work, how they could affect you, signs of keylogging, and how to prevent and disable keyloggers. We’ll also explore the link between keylogging and DDoS attacks and how to defend your organization from such attacks.

What is keylogging?

Short for keystroke logging, keylogging is the act of tracking the keys entered on a keyboard – whether your computer or a mobile device. The objective is to monitor and record everything that you are typing without disrupting what you are doing, in order to steal valuable information.

Keyloggers, the surveillance technology that logs the keystrokes, can be used for a wide range of purposes, from legitimate to malicious. For example, keyloggers can be embedded into software products to assist with software development, or installed by a parent on a child’s computer or phone for their online protection. However, the most concerning usage is by cybercriminals who install keyloggers on computers, websites, applications, and USB devices to steal sensitive data as it is typed in.

Types of keyloggers

There are two types of keyloggers – hardware devices and software applications. They both have the same intent: to automate the process of keystroke logging. Whether hardware-based or software-based, keyloggers are not a threat to the systems they are running on because the objective is to remain unnoticed and passively exfiltrate data. The threat comes later when the stolen data is used for nefarious purposes.

Let’s look at some of the most common forms of both types of keyloggers.

Hardware keyloggers

A hardware-based keylogger is a small device that serves as a connector between the keyboard and the computer. This connection may be visual as with hidden camera keyloggers that could be installed at ATMs, gas filling stations, or at computer terminals for public use in libraries. Other hardware-based keyloggers are designed to resemble an ordinary keyboard PS/2 connector, part of the computer cabling or a USB adapter. Whatever the form factor, hardware keyloggers are designed to be inconspicuous, so it is relatively easy for someone who wants to monitor a user’s behavior to hide the device.

Hardware-based keyloggers are more difficult for cybercriminals to use because they need to have physical access to the computer while you are not there in order to install the keylogging device. However, once the device is installed, they may be able to access the keylogger over WiFi and not have to retrieve the data in person.

Software keyloggers

Software keyloggers are the most prevalent type of keyloggers because they are easier to introduce than physically connecting a device to someone’s computer and can also log keystrokes from smartphones.

Common software keylogger types include:

• API-based keyloggers leverage the power of APIs which software developers use to transmit data to other systems and communicate back and forth. This type of keylogger records the signals sent from each keypress to the program you are typing into and logs the keystrokes in a system file.
• “Form grabbing”-based keyloggers monitor website forms and record the data you enter into a form and capture a copy before the form is sent to the web server.
• Kernal-based keyloggers are more nefarious and work their way into a system’s core to gain administrator-level credentials that can provide unrestricted access to an organization’s most valuable data. They can also modify the internal Windows system to wreak additional havoc.

How does keylogging work?

At a high-level, hardware and software keyloggers work very similarly. They collect each keystroke the user makes and saves it. Then, the person who installed the keylogger retrieves the data that has been gathered.  

In the case of a hardware-based keylogger, a person must either physically remove the device to access the gathered information or, if the device is WiFi-enabled, they can download the data remotely.

In the case of a software-based keylogger, the keylogger periodically sends the data to a server. To retrieve the data, the person connects to the server and accesses it.

From there, the person gathering the data can figure out all kinds of personal information. Just think about the number of times you have input passwords, credit card data, financial account numbers, birth dates, and social security numbers into websites. Not to mention, other personal information shared over social media, email, and text messages which can include schedules, vacations, relationship status, and health challenges. Retrieving and assembling this logged information is like eavesdropping on a personal conversation. The damage comes when that information is used to inflict harm.

How keyloggers attack your device

There are many ways in which software-based keyloggers spread. Some of the most common include:

• You may receive a very convincing email that looks legitimate. When you open it or click on a link in the email, you have unwittingly installed a software-based keylogger that immediately starts recording your keystrokes.
• Trojan horse. A Trojan horse is a program that seems to perform one function but actually is doing something else. The promise may be of free software, but instead a keylogger, concealed inside, automatically installs on your device and immediately starts logging keystrokes and reporting them back to the threat actor.
• Malicious website. You may visit a website that looks legitimate but as you explore the site, malware containing a keylogger gets installed on your device.
• Social engineering. A cleverly designed social engineering scheme might include impersonating an authority figure or a favorite brand to gain your trust, and then asking you to provide access to a system or divulge confidential information and installing a keylogger in the process.

Can keyloggers infect your mobile device?

While there are no known hardware keyloggers for mobile devices, software keyloggers for both Androids and iPhones do exist. Once a keylogger infects a mobile phone, it monitors more than the keyboard. It can also capture screen shots, text messages, photos, videos, the microphone, and network traffic. Everything is fair game and can be copied and downloaded to a server for a person to access.

If someone has access to your phone or other mobile device, even for a few minutes, they can upload a keylogger. And the same methods discussed above, falling prey to phishing, social engineering, malicious websites, and other scams also open the door to keylogging infections.

Different uses of keylogging

There are many uses for keylogging. Some are legal, some are questionable, and others are clearly illegal. When looking at situations where keylogging has been used, there are four factors that go into figuring out where the situation falls along the spectrum of legal and illegal:

1. Consent. Is keylogging happening with clear consent, with permission hidden in contractual language, or with no permission at all?
2. Goals of keystroke logging. Is keylogging being used to steal data for uses such as identity theft, fraud, or stalking?
3. Ownership of the device being monitored. Is the keystroke logger being used by the device owner or by the manufacturer of the device?
4. Rules and regulations in the region. Is the keystroke logger being used in accordance with applicable rules and regulations?

A word of warning: Even when keylogging is legal, the data reaped is highly valuable to threat actors. So, in the event of a data breach and if keylogging data falls into the wrong hands, an organization will have to face the legal fallout and financial implications of such an attack. It’s imperative that data obtained via keylogging is protected.

Legal uses of keylogging

Common legal uses of keylogging include:

• By software and computer manufacturers for ongoing product development and enhancements.
• To troubleshoot IT issues by collecting details on user problems and to help resolve them.
• To monitor business servers and watch for unauthorized user activity.
• To supervise safe use of company property by an employee.

In each of these cases, use is deemed legal if:

• It does not involve criminal use of the data.
• The entity engaged in keylogging is the product owner, manufacturer or legal guardian of a child using the product.
• It is used in accordance with local laws and regulations.

Morally questionable, but legal uses of keylogging

Without consent, keylogging can still be legally used:

• By parents to supervise kids and protect them in their online activities.
• By a spouse to track another spouse suspected of cheating.
• By an employer to monitor employee productivity.

Particularly in the last two cases, lack of consent is highly questionable but is still within legal boundaries.

Illegal uses of keylogging

When there is no regard for consent, local laws, and product ownership, then keylogging usage is illegal. Typically the intent of keylogging in these instances is to benefit the individual or defame the victim.

For example:

• Intercepting and stealing personal information
• Stealing a spouse’s online account information
• Stalking a non-consenting person

When keylogging is used illegally, this is when it crosses the line into the category of keylogging malware.

How to detect keylogging

The aim with keylogging is to work surreptitiously to stay below the radar and remain undetected. However, some lower end keyloggers are easier to detect as they typically give away telltale signs such as slower browser performance, delays during typing, applications that freeze without warning, and unexpected error messages. They may even noticeably degrade smartphone screen shots.

Advanced keyloggers are much harder to detect and typically can only be revealed by robust antivirus or antimalware scanning software. Traffic from software keyloggers can often blend in seamlessly with other normal traffic or files. And depending on the software keylogger type and where it has been installed—at the API level, in memory, or at the kernel level—it can be extremely hard to find.

On the other hand, when it comes to hardware keyloggers you need to take an entirely different detection approach as they require physical inspection—scanning software won’t find them. If you see an external physical device that you did not install, such as a USB drive or external hard drive, you can simply remove the device. It is far more difficult to detect and remove a hardware keylogger that has been installed internally by the device manufacturer. Researching devices, reading the fine print on contracts, and asking lots of questions before you purchase a computer or laptop are the best ways to avoid being subjected to embedded hardware keyloggers.

Another way to check for keylogging is to look at your browser extensions. If you discover extensions you don’t recall installing, you may want to consider disabling them as they could be keyloggers. Here’s how to access extensions in some of the most popular browsers:

• Chrome: Go to the address field and type “chrome://extensions”
• Firefox: Enter “about: addons” in the address field
• Internet Explorer: Go to the Tools menu and choose “Mange add-ons”
• Microsoft Edge: Select “Extensions” in your browser menu
• Opera: Choose “Extensions” and then select “Manage Extensions”
• Safari: Choose “Preferences” in the Safari menu and click on “Extensions”

How to protect against keylogging

As with all threats, an ounce of prevention is worth a pound of cure. The following general cyber hygiene and cybersecurity best practices can go a long way to protecting against keylogging.

• Ensure that software and your operating system are regularly updated. Technology vendors regularly issue updates to help keep users safe. Turn automatic updates on so that you are always current with the latest versions and protections they are providing.
• Use unique complex passwords. Simple passwords are easy to crack and password reuse makes it easier for threat actors to compromise multiple sites. So, create long and unique pass phrases. If this is difficult to track, use a password manager to generate and remember different, complex passwords for you.
• Use multi-factor authentication. Whenever possible, double-down on access controls with multi-factor authentication (MFA) so that a password alone is not sufficient to gain access to your systems and data.
• Do not leave your device unlocked or unattended. Turn on automatic locking so that your device is not accessible without a passcode. If available, use facial recognition to make it even more difficult for unauthorized users to gain access to your device.
• Do not click on suspicious links on the internet or in emails. Think before you click. Hover over links before you click to check to see if they are valid. Better yet, open another tab and go directly to the site instead of clicking on the link.
• Read terms of service closely before signing any contracts. It is important to fully understand what you are agreeing to before you sign on the dotted line. Even if the use of keylogging is well-hidden in the terms of service, your signature will serve as consent.
• Carefully control physical access to buildings and networks. Hardware keyloggers sit at the intersection of physical and cyber security. So it is important for organizations to carefully control physical access to buildings and who has access to their networks as well as employ the recommendations above to mitigate risk of keylogging.

How keylogging and DDoS attacks are linked

Attackers can use the credential information obtained by keyloggers to launch a large-scale attack, such as a DDoS attack, on company infrastructure.

In a DDoS attack, attackers use multiple compromised devices to flood a target system or network with traffic with an excessive volume of requests. These requests could be in the form of data packets, HTTP requests, or even connection requests. The flood of requests causes the server or network to become overwhelmed, resulting in a denial-of-service to normal traffic, meaning your end users can no longer access your site or service and you lose money.

To protect against DDoS attacks and prevent threat actors from using keystroke logging to compromise systems in this way, organizations can employ a combination of best practices and technology, including content delivery networks, traffic monitoring and anomaly detection, rate limiting, load balancers, web application server connection limits, IP Blacklisting/Whitelisting, and DDoS protection. 

Conclusion

There are legitimate reasons to use keylogging that have benefited individuals. Software and computer manufacturers use it to help determine ongoing product development and enhancements. Keylogging provides details that can help troubleshoot and resolve IT issues. And companies can use it to monitor business servers and watch for unauthorized user activity as well as to supervise safe use of company property by an employee.

However, keyloggers have also become an increasingly stealthy and widespread way for threat actors to steal confidential information for purposes of identity theft, fraud, extortion, and stalking. The data stolen can also be used to execute widescale and damaging attacks including data breaches and DDoS attacks.

Fortunately, there are steps you can take to protect yourself from the risks of keyloggers—from detecting when keyloggers are in use and disabling them to employing cybersecurity best practices that mitigate risk of credential and data theft.

When keyloggers are successful and cybercriminals decide to use the keystroke logging data to cause massive disruptions, as in the case of DDoS attack, DDoS protection can help. It can provide uninterrupted service availability even in the midst of a DDoS attack and can protect you from follow-on threats including data leakage, ransom attacks, and other threats to your operations.