What is Keylogging?
Keyloggers are the tools or technologies that monitor and log consecutive keystrokes that are made on a keyboard. Keyloggers normally operate covertly so that victims do not suspect that their keyboard actions are being monitored and logged. While keyloggers can have legitimate purposes, such as monitoring children or employees, keyloggers are most often used by cyberattackers for malicious purposes1. Cyberattackers can use these keylogger tools and technologies to record a victim’s browsing activity and obtain login credentials for accounts and systems. Cyberattackers can then use this information for their own financial gain by either withdrawing funds from their accounts, blackmailing the victim, or selling the credentials and account information on the dark web.
Keyloggers can be hardware-based, where they are built into hardware or separate devices, or software-based, where they can be separate and legitimate software, or they can be malicious and bundled with malware, software, or viruses. The most common types of keyloggers are:
API-based keyloggers. API-based keyloggers are the most common type of keyloggers. API-based keyloggers use the keyboard application programming interface (API) to record keystrokes. Every time that a key is pressed, a notification is sent to the application that is being typed in so that the typed character appears on the screen. API-based keyloggers intercept the notifications that are being send to the application and captures each one as a separate event that is logged and filed within the system hard drive, where cyberattackers can retrieve them.
Form grabbing-based keyloggers. Form grabbing-based keyloggers log data from web forms upon submission. Form grabbing-based keyloggers intercept the submission notification to log all of the characters that you have entered into the form. When the user clicks the “Submit” or “Enter” button, the log of all of the form data, which could include sensitive personal information such as name, address, email, phone number, credit card numbers, and login credentials, is placed in a file within the system hard drive where cyberattackers can retrieve them.
Hardware keyloggers. Hardware keyloggers are often built into the keyboard, but they can also be on USB connectors or mini-PCI cards. All records for hardware keyloggers are kept in the internal memory of the device, so the cyberattacker will need access to the physical device in order to retrieve the logs.
Acoustic keyloggers. Acoustic keyloggers are complex and infrequently used. Acoustic keyloggers use acoustic cryptanalysis to record keystrokes on the hardware level and uses statistical methods to analyze the individual acoustic signatures.
Kernel-based keyloggers. Kernel-based keyloggers hide inside of the operating system and record keystrokes as they pass through the kernel. These keyloggers are more sophisticated and complex than software keyloggers, so they are not used as commonly as software-based keyloggers. Kernel-based keyloggers are distributed via rootkits that can bypass the computer’s kernel and target the hardware.
Hidden camera keyloggers. Hidden camera keyloggers may be placed in public spaces such as libraries to visually track keystrokes.
1 Moes, 2022, “What is a keylogger?”