A keylogger (or keystroke logger) is a type of spyware that monitors and records what you type on your computer or mobile phone, according to Norton anti-virus and anti-malware security systems.
Keylogging software or hardware can be used to monitor activity for legal or illegal purposes.
How keyloggers work
Keyloggers work by recording the interactions a user has with their keyboard, allowing someone to access a log of every email, instant message, search query, password, username, or other keyed sequences that a user types.
Keylogging malware can infect your computer through many of the same mechanisms as other common viruses, but keyloggers can also be intentionally purchased and downloaded.
Keystroke malware can be delivered in a number of ways:
- Phishing emails: By clicking a link or downloading an attachment in a phishing email, text message, instant message, or social media post, you could accidentally download malware designed to track keystrokes.
- Trojan viruses: Named after the giant wooden horse that Greeks used to infiltrate Troy during the Trojan War, hackers trick users into downloading a Trojan virus by disguising it as a legitimate file or application.
- Zero-day exploit: A zero-day exploit happens when hackers discover an existing software security flaw and exploit it. Once developers learn of the vulnerability, it’s too late to protect users. These are particularly dangerous because once the systems are infected, they’re more susceptible to further attacks.
- Infected systems: Keyloggers can take advantage of an already-infected device or system and install other malicious software into that system.
Keystroke loggers are readily available, and there may even be one installed on the device you’re using right now. Keylogging software by itself isn’t necessarily problematic if you signed an agreement to use the device it’s installed on or if it was packaged in your device’s software suite.
What makes these tools problematic are issues of actor intent and victim consent. In short, keyloggers can either be tools or weapons, depending on who’s installing them and how they’re using the acquired information.
It’s important to know the difference, because malicious actors can use keylogging to capture your personal and financial information, PIN codes and account numbers, credit card numbers, usernames, passwords, and other sensitive data — all of which can be used to commit fraud or identity theft.
Types of keyloggers
For the general public, keyloggers are most commonly spread online via phishing scams, Trojan viruses, and fake websites. The hacker’s main goal is usually to obtain victims’ passwords, personal information, usernames, or banking information. Malicious keylogging mechanisms fall into two broad categories: software and hardware.
Software-based keyloggers
Many software-based keyloggers have rootkit functionality, meaning hackers can easily hide in your system to track your activity, save the data, and forward it to other cybercriminals. Some can even track your clipboard activity, location data, or your microphone and camera.
Keylogging programs can reach you at a few different levels:
- Kernel level: These are complex and difficult to write, so they aren’t especially common. Once installed, keyloggers affecting your device at the core of its operating system are especially difficult to diagnose and eradicate, as they’ve essentially been handed the “keys” to your device.
- Application programming interface (API) level: The most common form of keylogger software intercepts signals sent from your keyboard to the program you’re using. It’s like a recording device between your physical keyboard and a program on your screen, like your word processor.
- Screen level: Known as “screen scrapers,” these types of keyloggers take regular screenshots, recording what appears on your screen.
- Browser level: This is the least complex and least deeply rooted of the four types, but it can still be quite dangerous. This “form-grabbing” ploy records what you type into web forms, which may include everything from your Social Security number to login credentials.
Keylogging software programs are much more common than keylogger hardware because they’re discrete, can be packaged as malware, and are more readily available. However, keylogger hardware is still used for a variety of reasons and should not be ignored.
Hardware-based keyloggers
Hardware-based keystroke loggers have a physical component to their implementation, either in the wiring or hardware of a device or in the settings around it.
A common example of a hardware-based keylogger is the keyboard overlay that a hacker uses in an ATM skimming attack. Every time a bank customer presses the buttons on the criminal’s fake keypad — thinking it’s a legitimate ATM keypad — the keylogger records the keystrokes and sends the information to the cybercriminal.
These keyloggers can’t be detected by antivirus software because they aren’t installed on the computer, and they use their own internal memory to store and encrypt data.
There are several general types of hardware-based keystroke loggers that range in their level of sophistication:
- Keyboard: These keyloggers are installed either in the wiring connecting a keyboard to a computer or directly in the keyboard itself.
- Physical drive: Keylogger Trojans in this category are typically delivered via a USB drive or Mini PCI card.
- Third-party recording: The least sophisticated form of keylogger attack is an external recording device like a camera, which can be strategically placed to monitor public keypads or computer keyboards.
- Acoustic: This rarely used method of keystroke monitoring records the almost imperceptibly distinct sounds made when the different keys of a keyboard are struck.
While keylogging hardware may not be as common as its software-based counterpart, it can still be highly dangerous and can compromise vital data.
