What is a keylogger?

Keylogger, also named keystroke logging or keyboard capturing, is a form of spyware used for recording (and stealing) everything that you type on a computer or mobile keyboard.

By recording every keystroke on a keyboard, a criminal can obtain profitable sensitive information such as passwords, credit card numbers, financial account numbers, and confidential conversations.

How can your device get infected, and how to protect yourself from it?

How do keyloggers work?

As the name suggests, a keylogger is designed to secretly monitor and keep track of all keystrokes on PCs and mobile phones. There are two types of keyloggers:

• Software keyloggers – the programs (unknowingly) installed in your device;
• Hardware keyloggers – the physical devices built-in or connected to your PC.

Although software keyloggers are much more common, it is still crucial to mind the hardware-based risks.

How can a device get infected?

Keyloggers spread similarly to other malicious programs. It is possible to get a device infected with a keylogger in many ways:

• By clicking on a suspicious link and visiting a malicious website (getting a “drive-by download”);
• By opening an attached file (f. e. in work email);
• Visiting an infected website that exploits browser vulnerability;
• Romantic partners or concerned parents might secretly install a keylogging device to track what their spouses or children are texting;
• The USB stick-looking device can get inserted into a public computer (f. e. in the library) and record the actions.

Not all keyloggers are illegal.

Historically, keyloggers appeared as a spying tool. Today, they are also successfully used for legal purposes.

For instance, a keylogger can be used in IT departments to track how people use the test version of the software. It is then easier to detect and troubleshoot problems.

Also, keyloggers are often integrated into employees’ computers for security reasons – to track confidential inputs (related to commercial, inside information) that could damage the company if disclosed.

To put it briefly, if a keylogger is used on a device you own, the usage is legal. Yet, any legitimate keystroke logger can still be used with criminal intent – and that is illegal.

Real case example & takeaway

Over the past 10 years, IT security companies have noticed the increasing usage of keylogger with malicious intent.

However, alarmingly, the victims are not limited to giant IT companies.

In 2005, a man from Florida lost $90,000 due to a keylogging software running on his computer. The man filed a lawsuit against the Bank of America for stealing the money from his bank account. The investigation revealed that the money was sent to a Latvian criminal. The victim’s computer was infected with a malicious keylogger.

The hacker accessed the man’s bank account by using the logging details retrieved from keylogging records.

Unfortunately, the man did not get his money back. The court decided it was the man’s responsibility to take basic security precautions.

Takeaways: How to protect yourself from keyloggers?

Basic cybersecurity methods

Take basic cybersecurity precautions: routinely check for unwanted software in your PC, never click or download something from suspicious sources, websites, or people who you do not trust. Plus, make sure to use and frequently update antivirus software.

Use Two-factor Authentication.

Howard Schmidt, former White House cybersecurity advisor and co-author of the National Strategy to Defend Cyberspace, highlights the most important preventative measure – Two-factor Authentication. He explains:

“Even if I had a keylogger and had stolen your password, without a smart card … you can’t do anything. That’s why it’s so effective.”

Use a password manager.

Lastly, use a password manager that supports autosave and autofill features. This protects you from giving away sensitive information – such as passwords, credit card information.

Since the password manager automatically fills the fields, you do not need to type this information. That is how you protect yourself from giving away information for a keylogger.

The golden rule for protecting sensitive data: no keystroke – no record.