Beware: keystroke logging malware on the rise

If it seems like online criminals are always creating new ways to try and exploit unwitting victims, it’s because they are.

The internet is effectively a multidimensional game of cat-and-mouse, with consumers on one side supported by hardware manufacturers, software firms and antivirus providers.

On the other side is an ever-changing army of hackers and criminals, endlessly probing for weaknesses in domestic software systems and IT setups.

While some online malware is created for sheer devilment, most is intended to achieve financial gain for its developer or operator.

Keystroke logging software is a lesser-known tool in the cyberthief’s armoury, especially since the software underpinning it is used legitimately in many scenarios.

Even so, with malicious keylogging on the rise according to cyber security experts Sophos, it’s vital to recognise the risks it poses.

Out of key

Keystroke logging software is often referred to as keylogging.

This activity-monitoring software enables an offsite supervisor or administrator to record which keys are being pressed on a remote keyboard.

The popularity of keylogging software has soared post-pandemic, as companies attempt to discreetly track the productivity of home-working employees.

It’s sometimes used by parents to monitor their children’s online activities, and tech support staff might occasionally install it to troubleshoot IT issues.

However, keylogging software also appeals to fraudsters and bad actors.

Think about how often you log into a website or intranet with a username/email address and a password.

If a criminal can watch you typing these character strings into your web browser, they can then wait ’til you’re offline and re-access those same accounts using your login credentials.

Few people would voluntarily install non-corporate keylogging software, while genuine business tools tend to be fairly hacker-proof, so the software is usually installed by stealth.

The main technique used to accomplish this is spyware disguised to look like legitimate software – known in the industry as a Trojan.

Malicious code is embedded in an infected Microsoft 365 or Adobe PDF file, to be launched (and then stealthily installed, ready to begin monitoring) once it’s opened.

The file will typically be attached to an email, sent to intended victims with generic message text like “your order #123456 was rejected. Please see attached invoice for details”.

These unsolicited messages are a form of phishing – a subset of social engineering, where victims are manipulated through a sense of urgency and a pretence of authenticity.

Broad brush strokes

The preceding paragraphs make depressing reading, especially if you routinely access online banking or other financial services through a desktop computer.

Happily, there are some broad steps everyone can take to stay safe online, and prevent keystroke logging taking place.

Firstly, install antivirus software onto desktop computers, and approve automatic updates whenever the software requires it.

Mobile apps are far harder to hack, and logging into sensitive apps using biometric smartphone data gives criminals very little chance of replicating entry later on.

A virtual keyboard may also be useful for entering sensitive data – floating on-screen buttons you click with a mouse, rather than tapping physical keys.

A password manager tool provides another way to ensure online accounts can be accessed without entering confidential or sensitive data.

If a desktop PC and a physical keyboard are your only option, complicate keylogging reports by deliberately mistyping, partially deleting and then correctly entering passwords.

Remain vigilant at all times. Don’t open unexpected emails, and never download or open an attachment unless you’re sure it’s genuine.

Follow search engine hyperlinks to webpages rather than entering them into your browser bar – malware-laden bogus sites often register addresses which are similar to authentic sites.

Criminals will hit a brick wall if two-factor authentication requires a separate code to be sent to a mobile device, or an app like Microsoft Authenticator, so use 2FA wherever possible.

It’s momentarily frustrating having to prove who you are, but it’s far better than granting an overseas fraudster unrestricted access to your financial affairs…