What is a Keylogger?
A keylogger is a form of malware or hardware that keeps track of and records your keystrokes as you type. It takes the information and sends it to a hacker using a command-and-control (C&C) server. The hacker then analyzes the keystrokes to locate usernames and passwords and uses them to hack into otherwise secure systems.
Types of Keyloggers
A software keylogger is a form of malware that infects your device and, if programmed to do so, can spread to other devices the computer comes in contact with. While a hardware keylogger cannot spread from one device to another, like a software keylogger, it transmits information to the hacker or hacking organization, which they will then use to compromise your computer, network, or anything else that requires authentication to access.
Software keyloggers consist of applications that have to be installed on a computer to steal keystroke data. They are the most common method hackers use to access a user’s keystrokes.
A software keylogger is put on a computer when the user downloads an infected application. Once installed, the keylogger monitors the keystrokes on the operating system you are using, checking the paths each keystroke goes through. In this way, a software keylogger can keep track of your keystrokes and record each one.
After the keystrokes have been recorded, they are then automatically transferred to the hacker that set up the keylogger. This is done using a remote server that both the keylogger software and the hacker are connected to. The hacker retrieves the data gathered by the keylogger and then uses it to figure out the unsuspecting user’s passwords.
The passwords stolen using the key logger may include email accounts, bank or investment accounts, or those that the target uses to access websites where their personal information can be seen. Therefore, the hacker's end goal may not be to get into the account for which the password is used. Rather, gaining access to one or more accounts may pave the way for the theft of other data.
A hardware keylogger works much like its software counterpart. The biggest difference is hardware keyloggers have to be physically connected to the target computer to record the user's keystrokes. For this reason, it is important for an organization to carefully monitor who has access to the network and the devices connected to it.
If an unauthorized individual is allowed to use a device on the network, they could install a hardware keylogger that may run undetected until it has already collected sensitive information. After hardware keystroke loggers have finished keylogging, they store the data, which the hacker has to download from the device.
The downloading has to be performed only after the keylogger has finished logging keystrokes. This is because it is not possible for the hacker to get the data while the key logger is working. In some cases, the hacker may make the keylogging device accessible via Wi-Fi. This way, they do not have to physically walk up to the hacked computer to get the device and retrieve the data.
How are Keyloggers Constructed?
The primary concept behind keyloggers is they must be placed between when a key gets depressed on a keyboard and when the information regarding that keystroke appears on the monitor. There are several ways to accomplish this.
Some hackers use video surveillance to see the connection between the pressed keys and what appears on the monitor. A video camera with a view of the keyboard and the screen can be set up. Once it records a video of the keystrokes and the login or authentication screens the strokes have to get past, the hacker can play the video back, slow it down, and see which keys were pressed.
An attacker can also put a hardware bug inside the keyboard itself. This would record each stroke made and send the information to be stored, either on a server or nearby physical device. It is possible for a keylogger to be placed within the wiring or inside the computer—as long as it is between the keyboard and the monitor.
Additionally, keylogger software can be designed to intercept all input that comes from the keyboard. This can be done using a few different methods:
- The driver that facilitates the interaction between the keyboard and the computer can be replaced with one that logs each keystroke.
- A filter driver can be positioned within the keyboard stack.
- Kernel functions, which use similarities between data to assist machine learning, can be intercepted by software keyloggers and then used to derive the necessary keystrokes to perform authentication functions.
- The functions of the dynamic link library (DLL), which stores code used by more than one program, can be intercepted.
The software, which is recognized as a form of spyware, is built using a few different methods. Here are the most common:
- A system hook, which is a technique for altering the operating system's behavior, is used to intercept each notification generated whenever a key is pressed. This kind of software is typically built using the coding language C.
- A cyclical information request is set up that gathers information from the keyboard. These kinds of keyloggers are typically written using Visual Basic or Borland Delphi.
- A filter driver is written in C and installed inside the computer.
As a sort of defense mechanism, some keyloggers, referred to as rootkits, have the ability to disguise themselves to slip manual or antivirus detection. They either mask in user mode or kernel mode.
How to Detect a Keylogger
The simplest way to detect a keylogger is to check your task manager. Here, you can see which processes are running. It can be tough to know which ones are legitimate and which could be caused by keyloggers, but you can differentiate the safe processes from the threats by looking at each process up on the internet. In some cases, you may find a warning written by another user regarding a process, or several processes, that indicate keylogger activity.
To access the task manager in Windows, right-click on the taskbar, and then choose "Task Manager" from the menu.
In this window, each program under the Apps section are the ones in use by your computer, which will appear in windows on your screen. You will not see a keylogger in this section. However, you may be able to find one by looking through the Background processes section.
Another good place to look for keyloggers is under the Startup tab. Keyloggers get set up to run all the time on a computer, and to do that, they need to be started up with the operating system. As you peruse the Startup list, look for anything you cannot remember installing yourself. If something seems out of place, click on its line and then click on the Disable button on the lower-right side of the window.
You can also check for keyloggers by examining your computer’s internet usage report. To access this in Windows, press the Windows button and “I” at the same time. This will bring you to the settings screen. Here, you should choose "Network & Internet," then "Data usage." A list of the programs that your computer is using to access the internet will appear. If anything seems suspicious or you simply do not recognize it, do a search to investigate what it is. It may be a keylogger.
You can do the same form of investigation with browser extensions. If there are extensions you do not recall installing, disable them because they could be keyloggers. Here is how to access your extensions in some of the most common browsers:
- Safari: Choose "Preferences" in the Safari menu and click on "Extensions."
- Chrome: Go to the address field and type "chrome://extensions."
- Opera: Choose "Extensions," then select "Manage Extensions."
- Firefox: Enter "about: addons" in the address field.
- Microsoft Edge: Select "Extensions" in your browser menu.
- Internet Explorer: Go to the Tools menu and choose "Manage add-ons."
How Keyloggers Attack Your Device
To gain access to your device, a keylogger has to be installed inside it or, in the case of a hardware keylogger, physically connected to your computer. There are a few different ways keyloggers attack your device.
Spear phishing is one of the most prominent methods of initiating a malware infection. In most cases, a phishing email or link is used to target a consumer. The link looks legitimate—it may even appear to come from a relative or a friend. However, after you open the email or click on a link, a keylogger is installed on your device. Spear-fishing attacks may also be used to launch a sextortion attack.
Drive-by downloading refers to when a keylogger is installed on your computer without you knowing. This is often accomplished using a malicious website. When you visit the site, malware gets installed on your computer. It then works in the background, undetected, logging your keystrokes, then sending them to the attacker.
It is common for Trojan horses to have keyloggers bundled inside. A Trojan horse, similar to the one used in the Greek myth, appears to be benevolent. When the user opens it, malware containing a keylogger gets installed on their device. The malware, once installed, keeps track of the user's keystrokes and then reports them to a device accessed by the hacker.
Problems Caused by Keyloggers
In addition to compromising the security of your device, keyloggers can cause auxiliary issues on the device itself. The effects are somewhat different based on the type of device that has been infected.
Desktops and Laptops
Unknown Processes Consuming Computing Power
Like all types of software, keyloggers need to initiate a process in order to work. Each process your computer has to execute requires processing power. A keylogger’s process, once initiated, can be a drain on your computing power. This may result in other applications not running the way they normally would or should. You can figure out which processes are running by pulling up the task manager, as described above in “How to Detect a Keylogger.”
Delays During Typing
Because a keylogger positions itself between the keyboard and the monitor, one sign of a keylogger may be a delay when you type. If you typically see letters, numbers, or symbols appear on your screen immediately after you hit each key but then you notice a slight delay, that could be a sign that a keylogger is interrupting the process.
In some cases, the delayed typing may be due to circumstances like not enough random access memory (RAM), but if you notice this symptom, it may be a good idea to check for keyloggers.
Applications Freeze Randomly
As a keylogger does its work, it may interrupt normal application processing. This can cause the application to freeze without warning. If your applications are freezing more than usual, a keylogger could be the culprit.
Androids and iPhones
While there may not be any hardware keyloggers designed to attack mobile devices, Androids and iPhones can still be compromised by software keyloggers. These work by capturing where on the screen the user presses or taps, which allows the keylogger to see the virtual buttons pressed while the owner types. The data is then recorded and reported to a hacker.
The threat may be even worse with these forms of keyloggers because they do more than merely monitor and record keystrokes. They can also record screenshots, things picked up by the camera, the activity of connected printers, what goes into the microphone, and network traffic. A keylogger even has the ability to prevent you from going to certain websites.
To get a keylogger onto a mobile device, a hacker only needs to access it for a short period of time. You can also unintentionally install a keylogger on your device by clicking on a link or attachment.
How to Protect My Devices from Keylogging
The best way to protect your devices from keylogging is to use a high-quality antivirus or firewall. You can also take other precautions to make an infection less likely.
You may use a password manager to generate highly complex passwords—in addition to enabling you to see and manage your passwords. In many cases, these programs are able to auto-fill your passwords, which allows you to bypass using the keyboard altogether.
If you are not typing, a keylogger cannot record any strokes, and since password characters are usually replaced by asterisks, even a video surveillance system would not be able to figure out what was entered. In addition, use multi-factor authentication (MFA) when you have the option. A keylogger may deduce your password, but the second phase of the authentication process may deter them.
A virtual keyboard can also help prevent keyloggers from accessing your keystrokes. Even a hypervisor-based keylogger, which uses a separate operating system running underneath your main one, cannot access keystrokes performed on a virtual keyboard. On a Windows computer, you can press the Windows key and “R” at the same time to access its virtual keyboard.
It is also a good idea to periodically check the hardware connections on your computer. While hardware keyloggers are not as common, the back of a PC’s tower may be an inviting attack surface for a keylogging hacker. This is also true when working on a public computer. The attacker may have installed a hardware keylogger days or weeks before you log in to your bank, brokerage, or email accounts.
How Fortinet Can Help
Even though keylogging attacks are prevalent on the internet, the Fortinet cybersecurity tools can help safeguard your computer and network. One of the primary ways keyloggers infect your computer is through malware. The FortiGuard Antivirus security service can stop malware in its tracks.
FortiGuard Antivirus provides a barrier against the latest spyware and viruses, including keyloggers. Its ability to find and address malware is powered by advanced detection engines that scour the internet for new and evolving threats. FortiGuard maintains an index of these threats as they circulate the internet. The list, which includes keyloggers that have attacked other computers, is updated on a constant basis.
Every time a keylogger is detected, including new ones that appear on the scene, it is added to the FortiGuard database of threats. Networks protected by FortiGuard are therefore automatically protected from thousands of keyloggers. Each hour, FortiGuard updates your protection, including measures used to block the latest keylogger malware.
You can use FortiGuard to safeguard your entire network or choose device-based licensing and deploy it on one computer at a time.