What is a Keylogger?
A keylogger is a software program that tracks and records every keystroke a person makes on a computer device. A malicious keylogger is a type of spyware.
Keyloggers are sometimes used legitimately by enterprise IT departments who install them on devices owned by the business to monitor employee activities. However, digital threat actors can weaponize keyloggers as a form of spyware, using them to infect target devices and steal data or credentials from users by illicitly monitoring their keystrokes.
How Do Keylogger Attacks Work?
The goal of an illicit keylogger attack is to steal private information from the victim by monitoring keystrokes on their machine. A successful keylogger attack breaks down into three essential steps:
- 1. Acquiring Keylogger Tools
The first step for a digital adversary is to gain possession of a tool that can record keystrokes on the target machine. Some keyloggers are hardware (a physical device installed between the keyboard and the monitor) or software (a malicious spyware program that infects the target machine).
Most keylogger attacks are software-based and deployed over the Internet. Sophisticated digital adversaries can program their own keyloggers with powerful anti-detection features, while others may choose to buy or rent keylogger tools from other cyber criminals.
- 2. Infecting a Targeted Machine
The next step for a digital adversary is to infect the victim’s machine with the keylogger. This process often uses some type of social engineering that convinces the victim to visit a malicious domain or open a malicious email attachment and download the keylogger onto their machine.
Keylogger attacks can be highly targeted towards specific organizations, but it’s equally common for digital adversaries to spam links to their malicious download page across the Internet in hopes of infecting anyone they can.
- 3. Data Capture and Transmission
Once a keylogger infects a machine, it is programmed to spy on the user by recording all keystrokes on that machine and transmitting the information to the digital adversary. The keylogger runs in the background on the machine and may be difficult or impossible for an unsophisticated user to detect. Some keylogger tools have even been programmed to self-delete after a period of time to avoid detection and removal.
- 4. Data or Credential Theft
Keyloggers readily capture all kinds of sensitive information from the user, including personal data, email login credentials, financial institution login credentials, or access credentials for other secured networks and systems.
This data is saved in a file and transmitted to digital adversaries over the victim’s Internet connection. Digital adversaries can use the data they capture from victims to progress the attack in many ways, including by:
- Stealing the victim’s identity,
- Accessing the victim’s email to launch impersonation attacks,
- Accessing the victim’s online banking to initiate fraudulent transactions, or
- Using the victim’s credentials to steal data from other systems that the victim accessed while the keylogger was installed.
4 Keyloggers You Should Know
First detected in 2014, DarkHotel is a software-based keylogger that specifically targets victims using the unsecured Wi-fi networks that hotels offer to their guests. DarkHotel falsifies security certificates and manipulates its victims into downloading the keylogger onto their machine when they access the hotel Wi-fi. Once the keylogger is installed, it steals data from the victim before eventually self-deleting. DarkHotel has been used to target business executives and steal information like business passwords, IP, and banking credentials.
- Olympic Vision
Olympic Vision is a software keylogger tool that can be purchased online for as little as $15/month. After infecting a target machine, Olympic Vision has numerous capabilities for spying on the victim: it can steal information about the system configuration, access passwords saved on the machine, record keystrokes, and even take screenshots.
Olympic Vision is commonly used in business email compromise (BEC) attacks, where hackers gain unauthorized access to an executive’s email account, then impersonate the executive in communications to direct fraudulent transactions or steal other data.
- Snake Keylogger
Also known as 404 Keylogger, Snake Keylogger is an information-stealing spyware program that was first detected in late 2020. Snake is often spread via email, as part of a mass phishing or targeted spear phishing campaign, and may be embedded in a malicious PDF, Microsoft Word, or Microsoft Excel file.
Snake Keylogger has the ability to record keystrokes, take screenshots, and exfiltrate sensitive data from infected machines. It has primarily been used to steal sensitive data for fraud and identity theft purposes, or to steal money by giving hackers access to the victim’s bank accounts.
How to Protect Your Business from Keylogger Attacks
Start Cyber Security Awareness Training for Employees
Cyber security awareness is your organization’s first line of defense against keylogger attacks. This type of training educates employees on the various kinds of cyber threats that exist and how digital adversaries use technology and social engineering to attack target organizations.
Employees also learn to follow email security best practices, such as:
- Identifying the source of an email before opening it,
- Recognizing suspicious emails,
- Never clicking on a link in an email from an unknown source, and
- Never downloading or opening an attachment from an unknown source.
Use Multi-Factor Authentication
Multi-factor authentication provides an additional layer of protection against keylogger attacks. Several types of multi-factor authentication can be implemented, including one-time passwords, SMS messages, or a physical USB token. Multi-factor authentication ensures that hackers cannot log in to secured enterprise systems, even if they manage to steal access credentials using a keylogger.
Implement Anti-Phishing Software
Enterprise anti-phishing software provides detection and disruption of phishing attacks on every platform where they occur, including email, social media, and business collaboration tools.
Identify and Block Malicious Keylogger Attacks with ZeroFox
ZeroFox provides digital risk protection, threat intelligence, and adversary disruption services to detect and disrupt attempted phishing and keylogger attacks before digital adversaries can steal your sensitive data.
ZeroFox anti-phishing software leverages AI-powered technology to identify and remediate phishing and malware attacks through email, social media, and malicious domains.
Want to learn more?
Read our white paper on The Anatomy of a Phishing Kit to learn more about detecting and removing phishing threats against your organization.