Watch Out for Keyloggers – The Spies in Your Keyboard!

Don't you find it uncomfortable if you sense that someone is constantly looking over your shoulder as you type? Yet this can happen not only when you queue up at the ATM or when you make a cashless payment at the supermarket checkout. Sometimes, we're completely unaware that strangers armed with sophisticated tools secretly record every keystroke as we type. These tools, known as keyloggers, threaten the security of our confidential (online) data more often than we think.

For as long as computers and passwords have been around, people have tried to spy on other people's digital data – usually for illicit purposes. The usual suspects range from jealous partners to criminals who want to go shopping at their victims' expense, all the way to blackmailers and industrial espionage. And what could be more convenient than tracking the access data for bank accounts, social media accounts, online shops, cryptocurrency wallets, confidential documents or emails directly from the user's own keyboard?

From the keyboard straight into the hands of criminals

The advantage of this strategy is obvious: that's because passwords, PIN numbers or credit card details are not yet encrypted when they are typed into the keyboard. This makes it easier for fraudsters to use ill-gotten data. Encryption is only activated when the unsuspecting user clicks on ‘send', for example, to log into a user account, to send a message or confirm a financial transaction. 

Small software programs and other tricks that allow unauthorized persons to track every keystroke on a computer keyboard have actually been available for a long time. These tools are called ‘keyloggers'. Originally, they were very simple little programs that could be installed covertly on a computer and save everything typed on the keyboard in a small log file. More recently, many different keylogger variants with significantly enhanced capabilities have emerged. Likewise, the methods used to 'inject' a keylogger payload into a computer have become far more sophisticated.

Attention: keylogging is not always illegal!

In Europe, there is still no consensus on how to evaluate the use of keyloggers in legal terms. Are public authorities permitted to use keyloggers and 'state trojans’ and install them on a computer without the user's knowledge? What regulations govern the use of keyloggers in the workplace or in the private sphere? To date, no consistent EU-wide legislation to address these issues has been passed.

Those who wish to install a keylogger on their own computer, for example, to monitor their children's PC activities, are permitted to do so in Switzerland without fear of breaking the law. 

Since the highest court in Switzerland handed down the verdict in February 2022, the police are also allowed to deploy monitoring software such as keyloggers for the purpose of combatting crime.

In Germany, keyloggers are explicitly only allowed on one's computer – anyone installing a software keylogger, a keyboard spy or a USB logger on other computers is liable to prosecution under Section 202a of the German Penal Code.

Be careful when withdrawing cash! Cybercriminals also use hardware keyloggers to access banking data

By the way, the risk of being spied on by keyloggers is not restricted to the PC. We can be exposed to it every day, for instance, if we want to withdraw cash from an ATM. Clever crooks have even developed hardware keyloggers for these terminals. They can be attached as separate, discreet keypads that are undetectable to banking customers. This makes it easy for criminals to amass hundreds of credit card numbers and account PINs within a very short space of time. 

Financial institutions have since reacted to this threat to better protect their debit and credit card terminals against these types of manipulation. Despite these efforts, you should remain vigilant when entering personal details on a keyboard or keypad.

Nevertheless, the probability of falling victim to a software or hardware keylogger attack today is far greater on a personal or work PC but also on computers that are publicly accessible.

Software keyloggers are one of the most prevalent malware types

Formbook software keylogger remains one of the most widespread malware in Switzerland, ahead of the dangerous Emotet trojan. The arrival of the Snake Keylogger in Germany also saw another malware in this category take place – reason enough to take a closer look at the threat posed by software keyloggers.

Formbook – cybercrime by subscription

Malware specialists exposed the Formbook information stealer for the first time in 2016. Instead of being sold on special hacker forums, this particular malware is rented at very reasonable prices as 'Malware-as-a-Service' (MaaS). In this scenario, the 'subscribers' receive the malware binary file and are given access to the necessary command & control servers (C&C). Additional services allow hiding the binary code in an innocuous-looking document. 

What makes Formbook particularly attractive to criminals is its ease of use – which means they require little experience and marginal programming expertise to work with it. This type of 'user convenience' has certainly contributed substantially to this particular keylogger's popularity.

Have you installed security updates today? Formbook exploits vulnerabilities in Microsoft Windows and Office

Another major reason is likely that Formbook deliberately attacks Microsoft Office Windows computers. For this purpose, the malware is packaged in typical Office documents in formats such as. RTF, DOC or XLS to exploit a vulnerability in Office (known as CVE-2017-8570). A Microsoft patch to plug this security hole has been available since 2017. Despite this, attacks using the Formbook information stealer are still successful today. This shows that many users go for long periods without bothering to update their software.

Beware of suspicious email attachments!

Usually, it starts with a new email that pops up in our inbox – often containing information that appears credible at first: a message from the bank. Information about an expected package delivery? Since the COVID-19 pandemic, malicious emails have also been sent containing subjects that could originate from a public health authority or a government agency. Social engineering techniques are used to suggest to the email recipients that the attachment contains important personal documents that the recipient must open. 

If unsuspecting users fall for this trick and click on the email attachment that has been 'infected' with binary code, the game is already up. That's because the malware burrows deep into the Windows system processes, enabling it to

• function as a keylogger and record every keystroke – for instance, when access or banking data is entered in online forms
• read out content from the clipboard
• steal passwords from local user cookies
• take screenshots of screen contents
• deactivate the Task Manager
• restart the computer
• receive commands from the connected C&C servers to execute specific actions

Snake Keylogger – the snake in the grass that lurks in a PDF

Yet another malicious program that spies on keyboard inputs, the Snake Keylogger, has been very active since May 2022 – and this snake is particularly clever because it uses a devious trick to outsmart many anti-spyware systems: many computer users are immediately wary when they receive emails with unknown Word or Excel file attachments and will send these messages directly to the trash without looking at them. For this reason, the developers of Snake Keylogger use an ingenious and roundabout way to lure their victims into the trap regardless. The Snake Keylogger, which uses a modular structure, is traded on underground forums for prices ranging from 25 to 500 US dollars – depending on the functional scope and duration of use.

Snake Keylogger relies on the fact that most users still consider the PDF format to be very secure – unlike files from Microsoft Office programs such as Word, Excel or PowerPoint, PDFs do not contain deceitful macros that constantly open the floodgates to virus infections. In the same way as Formbook, 'official’ sender addresses or social engineering techniques are used to convince the email recipients that the message is trustworthy.

Don't court disaster when opening a PDF file!

Click on the PDF document in the spam folder, and you will be asked to open a .DOCX file and receive a false assurance that the Word file is 'verified'. Under no circumstances should you be deceived by this. That's because the .DOCX file contains a macro that enables the Snake Keylogger to be loaded onto your computer from a C&C server.

Humans are the security vulnerability: carelessness and negligence are punished

Before the Snake Keylogger can infiltrate a computer, two conditions must be met:

• the user must be convinced by the spam email and must open the PDF attachment followed by the embedded .DOCX document.
• As with Formbook, the computer must also have a security vulnerability – in this case, CVE-2017-11882. This vulnerability has been known since 2017 and was corrected at the time with a patch – which means that any users of computers infected by Snake Keylogger clearly neglected to import the latest system updates.

What are the symptoms of an infection with Snake Keylogger?

Just like Formbook, the Snake Keylogger can cause major damage to its victims. The malware works away unseen in the background – that is, until the user notices that their online accounts, bank and credit card data or even their online identity have been used by unauthorised persons. The cybercriminals may even commandeer a Snake victim's computer as a hardware resource for their crypto-mining activities. Snake Keylogger can

• harvest usernames, passwords, all types of login information, as well as banking and credit card details
• extract personal information from popular web browsers (Chrome, Firefox, Edge, Opera, etc.) and email clients (Outlook, Thunderbird, Foxmail, etc.)
• intercept content from the Windows clipboard
• take screenshots of current screen content

What's the best way to protect against espionage by keyloggers?

As with every type of malware, the fundamental defence strategy against keyloggers is to keep your operating system updated at all times. This ensures that all known security vulnerabilities are eliminated as far as possible. A powerful anti-virus and anti-spyware software solution can also prevent infections with keylogger malware. And last but not least: stay vigilant and check every incoming email carefully before opening it.

It may also be worth checking the connections between the keyboard and computer every now and then – that's because hardware keyloggers are often plugged in between them as an inconspicuous connector at the back of the PC. That being said, keystrokes can be read not only from wired keyboards but also from wireless keyboards. It's even possible to purchase special devices over the counter in which the keylogger is already built-in with remote readable flash memory.

Another way to protect your sensitive data against keyloggers more effectively is to use the operating system's on-screen keyboard instead of the physical keyboard when entering passwords.

The best way to protect online accounts against data theft and identity theft is to use multi-factor authentication. This is where at least a second factor is required in addition to a password to verify one's access authorisation. This can be a biometric feature (face ID or fingerprint) or a numeric code that is typically sent to the user's smartphone. If cyber fraudsters only manage to steal usernames and passwords, they will be unable to gain access to the account.