Data breaches should be a top priority for any business right now. Recent record fines handed out in both the US and Europe illustrate that getting compromised by hackers can be a hugely costly mistake.
With Equifax settling with the Federal Trade Commission for a record $700 million, and regulators in Europe finally showing just how much power they have under the GDPR rules to levy fines, it's more important than ever to make security a top priority.
But when it comes to extracting data from a company, hackers have a huge variety of tools in their arsenal, and one that could be particularly dangerous for businesses is keylogging. These tools could provide criminals with all the information they need to damage a business. So what do you need to know about this threat?
What does a keylogger do
Essentially, a keylogger is a program on a computer or other digital device that’s able to keep a record of every input made on the keyboard, whether this is a physical piece of hardware or a virtual on-screen display on a tablet or phone.
A type of spyware, these have some fairly benign uses, although by their nature, they'll always be seen as intrusive by users. For example, consumer keyloggers are often marketed at parents who want to know what their kids are up to on their phone, or for business users to monitor productivity or ensure workers aren't doing something they shouldn't. A little unethical, maybe, but not illegal.
But they can also be used by hackers for more malicious purposes. One of the most common applications for keyloggers is to farm valuable data, such as login credentials or financial records. If an employee logs into a secure database on a machine with a keylogger installed, for instance, they can give a hacker all the info they need to access it themselves.
They can also be used to spy on confidential emails, make logs of programs that are installed, or monitor what websites a person visits, potentially exposing all parts of a business to serious data breaches.
The types of keylogger to be aware of
There are several types of keylogger that you need to know about, which vary in how they infect a system and the methods used to gather and extract information. They essentially fall into one of two categories - hardware-based or software-based - and you'll need to know how each of them work if you want to stop them.
The most common type of keylogger, these work by infiltrating the keyboard application programming interface (API) on a user's machine, which notes what keys are pressed and sends the information to the program as an input. API keyloggers intercept these inputs and records them as discrete events, which are then stored on the hard drive as a log of every keypress, to be retrieved by hackers later.
A kernel-based keylogger sets deeper in your system and record the keypress information as it passes through the core of your operating system. They do the same job as API keyloggers, but are much harder to detect and remove. However, they’re also harder to create, which makes them rarer than API-based software.
These devices use the keyboard's circuitry to log keystrokes. These may be built into the keyboard itself, or installed via a USB connector or Mini-PCI card. Rather than relying on software to store the logged keystrokes, all records are kept in the internal memory of the device. However, they do require the hacker to have physical access to a machine to install the device and retrieve the data.
Acoustic tools take advantage of the fact that every key on your keyboard will make a slightly different sound when pressed. Therefore, by analyzing this audio, sophisticated keyloggers can determine what was typed - all they’ll need is access to a microphone. However, this type of attack is quite rare, as they require sophisticated equipment and are less accurate than other methods.
Form grabbers work slightly differently from other forms of keylogger, but the end result is the same. These use compromised code on websites that can record what a user is entering into web forms, then send a copy to the hackers when the user hits submit. They work by attacking the website itself rather than the end user, so can be used for gathering details such as names, addresses and credit card details if, for example, they’re placed onto an ecommerce site's online checkout.
The consequences of a breach
If keyloggers are allowed to infiltrate a system or website, they can expose almost any part of a business, and they can infect any firm, anywhere. For instance, in 2016, it was reporting that companies across 18 countries had been compromised by a keylogger known as Olympic Vision, which was spread via emails that appeared to come from business partners pertaining to recent bank transfers and invoices with alleged errors.
However, instead of real documents, the emails had the Olympic Vision keylogger attached. Once infected, criminals used the data gathered from the keylogger to gain access to email accounts and understand the internal accounting workflows of the targeted companies. Hackers could then use this information to convince others to initiate fraudulent payments.
Another high-profile victim of a keylogging attack is British Airways. In 2018, the airline fell victim to a cross-site scripting hack that was able to place form grabbing malware on its online booking site. This logged data including names, addresses, credit card numbers and CVV details as users entered them into the site, then sent them to attackers when users hit submit. In total, some 380,000 people were affected, and the company was recently fined $221 million (£183 million) by the UK's Information Commissioner's Office for the breach.
How your firm can protect itself
The best way to guard against keyloggers stealing confidential data is to block them before they have a chance to compromise your systems. Most software-based keyloggers will infiltrate businesses via email, so having strong anti-malware and email filtering protections in place is an essential first step, as is frequently reminding employees of their own responsibilities in this area.
This isn’t as simple as reminding users not to open messages or download attachments from unfamiliar senders. As today's hackers get more sophisticated, effective spear-phishing techniques that trick users into believing they’re legitimate are becoming more common, so it's also vital you train your employees to spot these.
However, even the best anti-malware defenses can't always guarantee 100% protection against every eventuality, and all it needs is for one careless employee to open the wrong email, or plug in an infected USB drive into a port for all this good work to be undone, therefore, it pays to have another layer of defense in place.
Some of the most precious information that can be picked up by keyloggers are usernames and passwords to your most critical systems. Therefore, the best way to render keyloggers ineffective is to reduce the reliance of these passwords, or ideally remove them altogether.
Adding two-factor authentication (2FA) can be one way to achieve this, as it means the password alone won't be enough for a hacker to gain access. Best practice for 2FA is to combine something a user knows (ie a password or PIN) with either something they possess, such as a mobile phone that a unique one-time passcode can be sent to, or something that's inherent to them, such as a fingerprint or retinal scan.
Removing the need for keystrokes
However, 2FA may not always be easy or convenient to achieve, so another solution is to use a password manager. This stores a user's login credentials for all their sites and browser applications in one place and automatically fills in the username and password fields on the login page, without the user having to type anything - thus leaving keylogging hackers empty-handed.
Of course, you do need to make sure this has tough 2FA to avoid the risk of the master password being compromised, but defeating keyloggers is just one of the many benefits of an effective password manager. They can also protect your business from the risks of weak or reused passwords by ensuring each service is safeguarded by a secure, randomly-generated password that users won’t have to think up or remember for themselves.
The human element is often the weakest part of any security system, so by removing the need for human input where possible - combined with comprehensive training to prevent malware being installed via email - keylogging threats can effectively be minimized.