Keylogger

What Is a Keylogger?

A keylogger is a program that monitors user keystrokes on a device. This can be used for both illegal and legitimate reasons but is often used as a kind of spyware or malware to steal credentials or other information from users. Threat actors will then use the information gathered from keyloggers to launch or escalate a cyber incident.   

Legal Uses of Keyloggers

While keyloggers are often used by threat actors to obtain information and credentials for unsuspecting users — this can be done as research for a future attack or during an attack to gain privileged access — there are legitimate uses. 

Examples of legitimate uses of keyloggers include organizations utilizing them to monitor employees’ actions or even parents using them to monitor children. Other examples include a product team using them while a user tests a product or by an IT team to try to understand a user-centered problem. 

Once a keylogger is used for cybercrime, it becomes illegal.   

How Do Keyloggers Work?

Keyloggers fall into two categories: hardware keyloggers and software keyloggers. 

• Hardware keyloggers, like the name suggests, are a physical device, like a usb thumb drive, while software keyloggers are a program that runs in the background. 

• Software keyloggers are more often used by threat actors as they can be automatically triggered when malware is downloaded and can often run in the background without the user noticing.   

Types of software keyloggers include:  

• API keyloggers  

• JavaScript keyloggers 

• Form-grabbing keyloggers 

While keyloggers may vary in form or how they’re activated, they all have the same goal: To monitor and record keystrokes. When in the hands of threat actors, keylogger are utilized for credential theft, financial fraud, lateral movement, reconnaissance, or to exfiltrate and sell data.  

Keyloggers can end up on a user’s device through a variety of methods. The most common vectors used by threat actors are:  

• Web page scripts: This is where keyloggers are part of malicious code on a website that is activated when the code is downloaded.  

• Phishing: Malicious links or files containing keyloggers are a hallmark of phishing emails. Other social engineering tactics can also result in a keylogger download.  

• Software downloads/drive-by downloads: If a user downloads suspicious software, it could end up containing a keylogger program.   

• Remote access compromise: Attackers are able gain access to an endpoint or application and install the keylogger. 

What are the dangers of keyloggers?

As mentioned above, keyloggers can be used at multiple stages during an attack, depending on the threat actor’s need. However, they are commonly used for credential theft, which can then be used as a root point of compromise. Because keyloggers can be activated as soon as malware is downloaded, a keylogger can start gathering information long before a user is aware of it. 

In addition, the stolen credentials can be used to launch a variety of attacks. For example, business email compromise (BEC) attacks rely on a threat actor gaining access to an email account within an organization, which can be done through stolen credentials. If an attack is progress, the use of a keylogger can reveal credentials that can lead to privileged access, escalating the attack further.   

Software keyloggers can disguise themselves as legitimate programs, and hardware keyloggers can be difficult for security software to detect. This makes them dangerous to users and a favorite for threat actors.   

Of course, the danger exists beyond credentials. Cybercriminals can steal credit card information, bank account information, email account information, private data, and more. This wide range of information allows cybercriminals to launch further attacks with ease. 

How to Protect Your Organization Against Keyloggers 

Because keyloggers quietly capture what users’ type, prevention must focus on stopping installation, reducing usefulness of captured data, and detecting/removing infections before they escalate.  

Protection methods include: 

1. Utilize multi-factor authentication (MFA) across the user base to prevent potentially compromised credentials from being utilized. 
2. Practice robust vulnerability management, particularly in regard to applications and endpoints that threat actors may target with keyloggers. 
3. Following identity and access management (IAM) best practices, with an emphasis on access controls and a zero trust approach. 
4. Monitor endpoint logs unusual network activity or outbound connections. 
5. Deploy detection and response solutions – such as endpoint security and managed detection and response (MDR) — to better monitor, detect, and respond to threats like keyloggers. 
6. Employ security awareness training to train users on the dangers of keyloggers and how they may be installed on an endpoint or application. 

Learn how Arctic Wolf Managed Security Awareness can reduce your organization’s human risk and better harden your identity attack surface. 

Explore how credentials and identities are targeted in cyber attacks, and how your organization can stay protected.