A keylogger (also known as a keyboard logger) records and monitors the data entered by a user on the keyboard. This can be either all the data entered or just specific keywords such as passwords or PINs and similar. In the past, keyloggers could only capture analog keystrokes, but modern keyloggers can now also record mouse movements, screenshots or virtual key presses.
A keylogger can be compared to a person standing directly behind the user, reading everything and recording the visible information on the screen.
Technically speaking, the keylogger is placed between the operating system or directly on the computer and the application to be monitored, so that no encryption has to be bypassed. By installing the keylogger directly on the victim’s system or network, the attacker has already overcome the victim’s most important defense (security hurdle). Once a keylogger is installed in the secure system area, detection is only possible with a great deal of effort. The use of the keylogger technology itself is legal, but its unauthorized use is not. This is not surprising, since this technology is often associated with hacker attacks or espionage.
What Types of Keyloggers Are There?
There are two basic types of keyloggers: the less common hardware keyloggers and software keyloggers, which are computer programs that are used most often today.
Hardware-Keylogger
A hardware keylogger is a physical device, usually small and in the form of a plug-in adapter that is inserted between the keyboard and the computer. Nowadays, these devices are rarely used for this purpose, since most users work with laptops or docking stations and the cables are visibly on the table. An unauthorized intermediate plug would quickly be noticed. Alternatively, such devices are increasingly being built into computers or even smartphones, where they are no longer noticeable. Either way, a hacker needs physical access to install the device or to connect it in between. But for computers or systems that are not connected to the internet, it can often be the only way to record data.
Hardware keyloggers are used in attacks on companies when it is known that the targeted computer does not have an Internet connection. The hacker must at least gain physical access to the hardware location once. To get the data recorded by the keylogger, the attacker must gain access to the device a second time to remove the plug and read the data. If they use a more advanced model with radio or WLAN for remote data recording, the attacker must only gain access to the hardware again if they want to prevent subsequent detection of the data recording by removing the device.
Other types of hardware keyloggers include devices that work with a hidden camera and film the keystrokes, or modules that are built directly into a keyboard and are therefore not visible from the outside.
Software-Keylogger
Software keyloggers are small computer programs that are installed on the target’s hard drive to record the keyboard strokes and send them to the attacker. This malware is usually installed by clicking on a malicious e-mail attachment or by visiting an infected website, which requires an Internet connection. However, since no physical access to the corresponding computer is needed, attackers generally prefer these virtual software keyloggers.
There are several variants here as well, such as formular keyloggers, which log all texts that are entered into website forms. Alternatively, kernel-based keyloggers embed themselves in the system kernel of the operating system. This is particularly attractive for attackers because they can gain unrestricted access to the entire system via the administrator rights stored here.
How to Detect and Protect Yourself from Keyloggers
Hardware keyloggers that are not permanently installed in the device can be detected relatively easily. It is best to immediately notify the IT department and remove the device, but not to dispose of it, in order to identify a possible attacker. Proper cable management is the best defense against hardware keyloggers, as external changes to the hardware quickly attract attention. In addition, a strict access system ensures that attackers do not even get close to the computers.
Software keyloggers, on the other hand, are much more difficult to detect after successful installation, as they are usually hidden in a subdirectory. Monitoring tools can help to track outgoing communication and to document and raise the alarm in the event of unusual data loss; antivirus programs can also partially detect the use of a keylogger.
The best way to prevent the installation of a keylogger is to ensure that such malware cannot be installed on your system in the first place. To do this, it is important that all programs, including the operating system, are always kept up to date and that users do not click on links in e-mails from unknown sources. In addition, employee training courses that specifically address the topic of online security and recommended security measures can help.
In addition, two-factor or multi-factor authentication also provides good protection on a regular basis. This is because even if an attacker can steal passwords and thus overcome the first security factor, this is of little use to the hacker as long as they do not know the security features of the second factor for successful authentication.
Finally, a particularly devious trick used by some hackers is worth mentioning: Hackers maliciously leave external hard disks or USB sticks in heavily frequented public spaces. They speculate that the finder will connect the storage medium to their own system and, in doing so, unwittingly installs a keylogger when the device is connected to the system and a file on the hard disk is clicked.