The American television series Mr. Robot introduces its viewers to a lot of hacking attacks, techniques, and tools. Most of it is based on actual methods and hardware, even if it is presented as far easier to do on the show than in real life. One thing the show portrays as a common, almost pedestrian attack technique is keylogging.
You need to know about keylogging, because it really is as common, easy to do, and critical to the success of criminals as it is on the TV show. That’s because the targets of attacks that involve keylogging are, well, just about anyone and everyone. And you wouldn’t even know that it’s happening.
How it works
Keylogging, formally called “keystroke logging,” is exactly what it sounds like: It’s when a user’s keystrokes on a computer, tablet, or phone are recorded and tracked. This is sometimes done in an IT monitoring environment, or for studying human-computer interaction. Even Windows 10 has a creepy keylogger, to collect your info for… reasons. Fortunately, you can turn it off.
They’re also used by law enforcement. The FBI brought down Philadelphia mob boss Nicodemo Scarfo Jr. in 1999 when it installed the Magic Lantern keylogger via a Trojan. The spyware recorded his every keystroke, which the Feds were able to use to piece together their case. In 2007, the DEA used a keylogger to take down an MDMA (Ecstasy) lab.
But keylogging is more commonly done for nefarious reasons—without the user’s consent or knowledge that everything they type is being surveilled, and saved for later by whoever is spying on them.
The threat to you
Obviously criminals use keyloggers. They scrape up passwords, credit card and banking information, personal details, and more, to use in identity theft and other malicious deeds. Think about what you type every day that reveals sensitive information, like your bank account, and you can easily see what’s so worrying about keyloggers.
But thanks to commercial spyware companies, everyone is a potential victim of keylogger spying. These companies take digital spying tools, typically used by actual government spies and malicious hackers, and package them into easy-to-use bundles. These are marketed and sold to parents who want to monitor children, suspicious spouses, nosy employers, and more.
Of course, they’re purchased and used by more than that, and for a lot of creepy and unethical purposes. A recent expose showed that “ordinary people—lawyers, teachers, construction workers, parents, jealous lovers—have bought malware to monitor mobile phones or computers, according to a large cache of hacked files from Retina-X and FlexiSpy, another spyware company.” The tools enabled easy keylogging for anyone with $50 to spend.
The cache of hacked documents also revealed that the spyware companies had terrible security themselves, making it trivial for attackers to obtain the keylogging records of all the people its spyware had tracked.