What Is a Keylogger?
A keylogger is a program that monitors user keystrokes on a device. This can be used for both illegal and legitimate reasons but is often used as a kind of spyware or malware to steal credentials or other information from users. Threat actors will then use the information gathered from keyloggers to launch or escalate a cyber incident.
Legitimate Uses of Keyloggers
While keyloggers are often used by threat actors to obtain information and credentials for unsuspecting users — this can be done as research for a future attack or during an attack to gain privileged access — there are legitimate uses.
Examples of keyloggers include organizations utilizing them to monitor employees’ actions or even parents using them to monitor children. Other examples include a product team using them while a user tests a product or by an IT team to try to understand a user-centered problem.
Once a keylogger is used for cybercrime, it becomes illegal.
How Keyloggers Work
Keyloggers fall into two categories: hardware keyloggers and software keyloggers.
Hardware keyloggers, like the name suggests, are a physical device, like a usb thumb drive, while software keyloggers are a program that runs in the background.
Software keyloggers are more often used by threat actors as they can be automatically triggered when malware is downloaded and can often run in the background without the user noticing.
Types of software keyloggers include:
- API keyloggers
- Form-grabbing keyloggers
While keyloggers may vary in form or how they’re activated, they all have the same goal: To monitor and record keystrokes.
Keyloggers can end up on a user’s device through a variety of methods. The most common vectors used by threat actors are:
- Web page scripts. This is where keyloggers are part of malicious code on a website that is activated when the code is downloaded.
- Phishing. Malicious links or files containing keyloggers are a hallmark of phishing emails. Other social engineering tactics can also result in a keylogger download.
- Software downloads. If a user downloads suspicious software, it could end up containing a keylogger program.
Dangers of Keyloggers
As mentioned above, keyloggers can be used at multiple stages during an attack, depending on the threat actor’s need. However, they are commonly used for credential theft, which can then be used as a root point of compromise. Because keyloggers can be activated as soon as malware is downloaded, a keylogger can start gathering information long before a user is aware of it.
In addition, the stolen credentials can be used to launch a variety of attacks. For example, business email compromise (BEC) attacks rely on a threat actor gaining access to an email account within an organization, which can be done through stolen credentials. If an attack is progress, the use of a keylogger can reveal credentials that can lead to privileged access, escalating the attack further.
Software keyloggers can disguise themselves as legitimate programs, and hardware keyloggers can be difficult for security software to detect. This makes them dangerous to users and a favorite for threat actors.
Of course, the danger exists beyond credentials. Cybercriminals can steal credit card information, bank account information, email account information, private data, and more. This wide range of information allows cybercriminals to launch further attacks with ease.
How to Protect Your Organization Against Keyloggers
Because keyloggers often are downloaded through user action, user education becomes paramount when preventing keyloggers.
Utilizing a strong security awareness training program can go a long way toward helping users spot social engineering attacks; be more aware of what suspicious sites, links, and files look like; and helping them stay safe in a variety of digital situations.
Arctic Wolf® Managed Security Awareness prepares your employees to recognize and neutralize social engineering attacks and human error — helping to end cyber risk at your organization.
As many attacks that start with keyloggers are credential-based attacks, having strong identity and access management, and implementing a Zero Trust framework — which utilizes tactics like multi-factor authentication (MFA) — can stop an attack from escalating and eliminates privileged access which threat actors may take advantage of in an attack.
While it’s hard for security software to spot keyloggers, if credentials are taken and unusual behavior occurs, a detection and response software can stop these attacks before they escalate. Arctic Wolf® Managed Detection and Response (MDR) provides 24×7 monitoring of your networks, endpoints, and cloud environments to help you detect, respond, and recover from modern cyber attacks.