A Software Keylogger Attack By Daniel Shapiro Social Engineering Users follow “spoofed” emails to counterfeit sites Users “give up” personal financial information Technical Subterfuge Software is planted on your system Used to steal information directly from the computer Pharming Software that misdirects users to fraudulent sites RCMP 2005 (http://www.charlottetown.cips.ca/LS2.ppt) “Next Generation” Keyloggers Today’s keyloggers incorporate “stealth” operations Capture more than keystrokes Screen shots Recording of Web addresses Free Examples: BFK, pykeylogger RCMP 2005 (http://www.charlottetown.cips.ca/LS2.ppt) Phishing Using Keyloggers [2] • Definition: “A keylogger is something that records keystrokes made on a computer. It captures every key pressed on the keyboard and stores it down in a file or memory bank that can be viewed by the person performing the monitoring in real-time, or at a later date.” [1] • There are two types of keylogger: hardware keylogger and software keylogger [1] http://www.keyghost.com/keylogger/ [2] Dat Tien Nguyen and Xin Xiao Hardware Keylogger [2] Three types [1]: • Inline devices that are attached to the keyboard cable • Devices which can be installed inside standard keyboards • Actual replacement keyboards that contain the key logger already built-in It only can be discovered by people and removed physically [1] www.wikipedia.org [2] Dat Tien Nguyen and Xin Xiao Software Keylogger [1] [1] Dat Tien Nguyen and Xin Xiao Software Keylogger [2] * Can capture both keys pressed and screen * 2 sub-categories [1]: – Visible in the task manager – Invisible and stealth keyloggers * It is true that secure I/O programs can completely protect your computer from software keyloggers [1] www.keygosh.com [2] Dat Tien Nguyen and Xin Xiao Protecting yourself from Keyloggers • • First and foremost: The best security and related policy is always built on layers. The best way to protect a system and network from these intrusions always starts with the same methods one would use to prevent the spread of a virus, but additional measures must be taken for these new risk BEYOND those measures. Keyloggers and Trojans often aren’t detected by Antivirus systems, so make sure you have a good spyware detection and removal tool OR verify your Antivirus program handles these spyware threats as well. Make sure this software is update and run regularly as new threats can burrow in at any time. Dynamic Net, Inc. Protecting yourself from Keyloggers • Consider installing a personal firewall on each computer or at least enabling a firewall built into the operating system of the computer. Firewalls can’t save the world by themselves, but a good personal firewall monitoring incoming AND outgoing traffic from an individual computer will be a good way to find out if anyone is attempting to break in. It will also give you an idea as to whether or not anyone or thing is attempting to have your computer send data out. Dynamic Net, Inc. Logoff with running keylogger KEYLOGGER My Ideas 1. Run keylogger 2. Log off of shared computer 3. The actions of the next user to log on are compromised OR 1. Run keylogger on kiosk 2. Sit back and collect infoweb accounts 3. Begin spamming activities with harvested accounts Other new attacks 1. Open a portal online 2. Harvest user passwords (e.g. Password = XXX) 3. Inject Trojan+keylogger into website content/service (e.g. streaming video plugin .exe) 4. Email user saying “I know your password! Your password is XXX! Change your passwords!” 5. User logs into banking website and gives away password to keylogger 6. Empty the bank account and/or sell credit card number Other new attacks • A low-tech approach to phishing has caught a NSW-based organisation after its employees were mailed CD-ROMs containing hidden keylogging software. [1] • More than 40,000 Web sites have been hit by a mass-compromise attack dubbed Nine Ball that injects malware into pages and redirects victims to a site that will then try to download Trojans and keylogger code... [2] [1] http://www.zdnet.com.au/news/security/soa/ Phishing-attack-Your-keyloggers-are-in-the-mail/0,130061744,339274590,00.htm [2] http://news.idg.no/cw/art.cfm?id=EDAD4BEC-1A64-6A71-CE6961E072D06093