In 2024 alone, more than 1 billion records have been stolen — and the year still has four months left.
Much of this stolen data comes from malware. In some cases, malware tools are used to find and exfiltrate valuable information surreptitiously. In others, ransomware tools encrypt key data and demand payment for its release.
Keyloggers take a different approach: These tools track and record keystrokes as users type, and then send this data to malicious actors. Analysis of keylogger data can provide attackers with everything from usernames to passwords to the contents of sensitive emails or texts.
In this piece, we'll break down keylogging basics, explore the history of keylogging attacks, examine the potential consequences of logged keys, and offer ways to protect critical data from keylogging criminals.
Keylogging Explained
Compared to other types of malware, keyloggers are less prevalent. Prior to the rise of ransomware, keylogging tools were commonplace, in part because they offered a low-risk way for attackers to view, capture, and leverage typed data.
Today, keyloggers may appear as a smaller part of larger cyberattacks. For example, a recent attack leveraged the Snake Keylogger — also called the "404 Keylogger" or the "KrakenKeylogger" to steal sensitive data. Phishing is the first stage of the attack: Users are prompted to open an Excel document that leverages CVE-2017-0199 to download an HTML application file, which in turn contains VBScript and PowerShell scripts. These scripts run a .exe loader module which builds and deploys the Snake Keylogger.
Definition of keylogging
Keylogging is the practice of recording keystrokes made by users on their devices. Keyloggers collect this data and send it to hackers, who in turn analyze the information to find usernames, passwords, financial data, and other critical assets.
Types of keyloggers
There are two basic types of keyloggers: Software and hardware.
Software keyloggers are pieces of code that infect devices and record keystrokes made by users. These keyloggers can spread to other devices on a network, in turn providing attackers with a host of potentially usable data.
Hardware keyloggers, meanwhile, are physical objects attached to devices that record and transmit all typed data. Unlike their software counterparts, they cannot move from device to device unless physically removed and replaced. While this limits the scope of hardware keyloggers, these physical devices are often harder to detect than their software counterparts.
How keyloggers work
Keyloggers work by capturing keystrokes and sending this data back to hackers
There are several ways for attackers to accomplish this goal. The lowest-tech option uses a camera pointed directly at a user's screen which records what they're typing and when. Attackers may also replace the keyboard device drive with one that logs each keystroke or use an attached physical device that sits between the computer and the keyboard and intercepts all outgoing data.
History and Evolution of Keyloggers
Keyloggers are not a new development. In fact, keylogging began before the advent of digital computing — the first key-collecting threat targeted electric typewriters in the early 1970s. While keyloggers have come a long way since the days of poaching paper-based data, the fundamentals remain the same: Capture and exfiltrate user-entered information.
Overview of keylogger development
The first keylogger targeted typewriters used by the U.S. Embassy in Russia. Known as the Selectric Bug, it wasn't so much a bug as a physical device developed by the Russians that was attached to Selectric typewriters. The device tracked the movements of the typewriter printhead and recorded which keys were pressed in which order.
In 1983, Perry Kivolowitz created a software keylogger capable of locating and dumping character lists in a Unix kernel, but its scope remained limited. Then came the Internet, and the Ghost Keylogger. This software-based tool was the first to capture keystroke data from connected computers and wasn't selective about its targets; the scope and scale of Ghost Keylogger attacks moved keylogging threats into the mainstream.
Notable keylogging incidents
2007 saw the development and release of the Zeus keylogger, which primarily targeted financial institutions. While the attack led to millions in losses, it also prompted a concerted effort from the cybersecurity community to develop an effective countermeasure.
Advancements in keylogger detection
The evolution of keylogger attacks prompted the development of advanced detection methods. These methods fall into two broad categories: Signature and behavior based.
Signature-based defenses scan files on a device and compare them to known keylogger modules. If a potential match is detected, these tools alert IT staff to take action. While this approach is minimally disruptive to operations, signature-based detection can only protect devices from known keylogger frameworks.
Behavioral-based detection, meanwhile, focuses on keylogger action rather than architecture. Even if applications or services don't contain common keylogger signatures, behavioral tools may flag them for review if their actions seem suspicious. While behavioral tools have a higher success rate in keylogger detection, they are more resource-intensive than their signature-based counterparts.
Detecting and Preventing Keyloggers
The sooner keyloggers are spotted and stopped, the better.
Signs of a keylogger infection
There are several common signs of keylogger infection, such as:
- Slow browsers
Browsers may load content slowly if keyloggers are running in the background. If you notice that images and text are taking longer than usual to load, it may be a sign of keylogger infection.
- Delays in keystrokes or mouse movements
Keyloggers may also cause a delay between input and output. If you find that on-screen actions aren't keeping pace with your typing or mouse moment, a keylogger may be responsible.
- Disappearing cursors
Disappearing mouse cursors are another common sign of keyloggers. As the keylogger processes data, it may cause loss of control of your mouse, which includes the cursor disappearing.
How to detect and remove keyloggers
Direct observation from users provides the first clue that something isn't right. Malware scanning tools can help narrow the search by pinpointing suspicious processes or identifying applications that are commonly associated with keyloggers.
To remove a keylogger, users should start by removing the program or application from their device, then clearing all temporary files. Depending on the type of keylogger, how long it has gone undetected and the type of data it could potentially access, it may be necessary to reset devices and restore their data from secure backups. This ensures that the keylogger is entirely removed.
Protecting yourself from keyloggers
There's no single solution to protect yourself from keyloggers. Instead, it's worth taking a multilayered approach that includes:
- Firewalls
Firewalls help keep unauthorized and unrecognized processes off your device and outside your local IT environment.
- Antivirus software
Antivirus software can detect the presence of keyloggers on your system and recommend effective action.
- Phishing detection tools
The use of phishing detection tools helps prevent fake emails from arriving in your inbox.
- Password managers
Password managers securely store your passwords and ensure that your data isn't automatically entered on suspicious sites.
Risks and Impacts of Keyloggers
Unlike ransomware threats, keyloggers don't encrypt data or demand payment for its release. Unlike DDoS attacks, keyloggers don't overwhelm networks or take systems offline. Their pernicious and persistent nature, however, makes them a significant security threat.
Potential problems caused by keyloggers
There are several potential problems caused by keyloggers.
The first is reduced device performance. Depending on the type and amount of data being collected, keyloggers can cause significant device slowdowns. Users may experience delays between keyboard strokes and on-screen output or may find that applications or web browsers take significantly longer to load.
Threats posed by keyloggers
Keyloggers pose multiple threats, such as:
- Stolen financial data
If attackers can steal your login and password data using keyloggers, they may be able to access your bank accounts and steal financial information. In addition, they may be able to transfer funds out of your account or convert some of your savings into less-traceable currency such as bitcoin.
- Hacked accounts
Keylogging lets attackers collect password and login data for as long as they remain undetected. This puts users at risk of hacked accounts including those on e-commerce platforms, those used to access health data, or even those used to file taxes.
- Business email compromise
Keyloggers deployed on business networks may capture staff login data, which allows them to access corporate accounts. From there, they may be able to move laterally and compromise key applications or systems.
Protecting your sensitive information
Keyloggers target sensitive information, such as usernames and passwords, which hackers use to compromise online accounts and services. While identifying and removing keylogging threats can help reduce this risk, it's also worth prioritizing the protection of sensitive information.
Put simply? Keep it secret, keep it safe. Reduce risk by using different passwords for every online account. Don't provide username, password, or other identifying information to any site you don't recognize. And wherever possible, use autofill tools that complete your credentials on trusted sites without the need for keyboard strokes — even if attackers have compromised your device with a keylogger, no keypresses mean no data to collect.
Keylogging on Mobile Devices
Just as keylogging made the move from physical devices to computer software, it has also made its way to mobile devices.
Do mobile devices get keyloggers?
Yes. Mobile devices are susceptible to keyloggers. These devices are compromised in the same way as desktops or laptops — users receive a message that asks them to visit a compromised website or download an infected file. In the case of mobile devices, these messages may take the form of emails or texts.
Signs that your mobile device has a keylogger include reduced battery life, excessive data usage, unfamiliar applications, or text messages you don't recognize.
Preventing keyloggers on smartphones and tablets
To prevent the installation of keyloggers, don't respond or engage with unsolicited emails or texts, especially if they demand action. For example, if you receive a text supposedly from your bank asking you to visit a webpage and verify account details — or face the consequences of your account being locked or disabled — don't take the bait.
In addition, avoid downloading any third-party applications that haven't been tested and vetted by reputable app stores. Consider an Android device user. While it's possible to download .apk files directly rather than using an app store, there's no guarantee that these files are free of malware. Installing them and allowing them access to your mobile device could introduce a keylogger into your system.
Keylogger protection for mobile users
Protection from keyloggers for mobile users includes antivirus and antimalware tools, regular updates of operating systems and other applications, the use of strong passwords, and the adoption of two-factor (or more) authentication.
It's also important to physically secure your device. Keep it with you or store it somewhere safe and ensure you're using a strong password or biometric identifier to enable device access.
Keylogger Prevention Measures
While finding and eliminating keyloggers helps reduce their impact, it's preferable to prevent these attacks from happening.
Best practices for avoiding keyloggers
Keyloggers get access to devices when users click on malicious links or download infected attachments. To avoid keyloggers, remember a simple mantra: Never trust, always verify.
Used as the foundation of zero-trust, this approach helps users reduce the risk of getting duped by legitimate-looking emails or texts. Here's how it works in practice: No matter the message and no matter the content, verification is the first step. This means that whether the email seemingly comes from a business colleague, a friend, or a stranger, you apply the same level of skepticism. Follow up with supposed senders before clicking through or downloading attachments. If attackers can't convince you to take the action they want, their efforts fall flat.
Secure password management
If attackers can find and compromise your passwords, they can gain access to everything from e-commerce accounts to financial data to business networks. Secure password management helps reduce this risk. By storing your passwords in a secure vault that only you can access, you can keep them safe from prying eyes.
And by using password autofill that only provides password information for trusted sites, you can both avoid the risk of keylogging and get a visual clue that something isn't right. If you click through to what looks like your banking website but your password manager doesn't fill in the credentials, it's a red flag that you may be dealing with a spoofed site.
Using trusted security software
Trusted security tools such as malware and virus scanners can help detect the presence of keyloggers. In addition, users and businesses benefit from the use of email scanning tools capable of analyzing incoming messages and flagging them as potentially harmful. If they never reach inboxes, they can't compromise users.
Prevent Keylogging with LastPass
LastPass offers several ways to help reduce the risk of keylogging compromise.
Unique password generator
Our unique password generator ensures that you don't accidentally repeat passwords, and provides suggestions for strong passwords that include letters, numbers, and special characters.
Breach monitoring and detection
With breach monitoring and detection, you're notified about potential comprises and possible causes. This helps streamline the process of finding, identifying, and removing keyloggers.
Multi-factor authentication
Using multi-factor authentication (MFA) that includes additional factors such as one-time text codes or biometric identifiers helps keep accounts safe even in the event of keylogging. For example, since one-time codes are never identical, logging one won't help attackers get access.
Start your LastPass trial today and keep keyloggers out.
