Hackers watching while
you type

28 Apr 2005

Keylogging tools that attempt to steal users’ passwords for banking or e-commerce sites are evolving all the time and now employ several techniques aimed at tricking people into installing them, a security expert has warned.

According to Dan Hubbard, director of security and technology research with Websense, hacking for financial gain is becoming more common, which in turn is leading to an increase in the sophistication of attacks. “There’s definitely lots of money being made,” he said, citing the arrest of a man in Brazil, claimed to have been at the head of a gang that is alleged to have stolen up to US$37m by infecting PCs with keylogging software.

As the name suggests, keyloggers work by recording users’ keyboard inputs and sending them to a third party. With this information, criminals can access bank accounts using the owner’s login name and passwords and transfer money into their own accounts.

Hubbard pointed out that keyloggers don’t draw attention to themselves in the way that viruses or worms might. Often, the software sits dormant on an infected PC until it recognises certain behaviour from the user, such as visiting a banking website.

Because keyloggers require some user intervention to be installed – even if the user doesn’t realise this is taking place – the ways of tricking people are evolving all the time, Hubbard said. “In the past, it was simple social engineering – you got an email saying ‘open this’ or ‘I love you’. Now it’s a combination of factors. It’s partly social engineering: the email is sent pretending to be a notice from Microsoft to upgrade your software or patch your machine. It’s also timed to be sent on the second Tuesday of every month when Microsoft normally issues its patches. The mail also redirects you to a site and there’s no attachment with the message. The website has the look and feel of Microsoft’s site but when you’re there it installs a keylogger on your machine… Once you’re there, naturally you don’t know that you’re being exploited.”

Another hacker tactic Hubbard identified is where search sites are duped into placing malicious sites high on the list of commonly requested terms. This search engine poisoning works by giving links to websites that put spyware on a computer when the user has input the search term ‘spyware removal’. He pointed out that in order for these tricks to work, the user’s browser must have flaws that the spyware or keylogger can exploit.

Hubbard also suggested that the security industry’s traditional ways of tackling threats will need to be re-examined. In the past, viruses were reported by customers to security companies, who reverse engineered the code to find out how the viruses behaved in order to spot them and then to stop them. “With keyloggers, people don’t usually know they have them, so it’s not easy to create detection tools. They’re also coming out so frequently that it’s difficult to stop them.”

According to Hubbard, the situation may get worse before it gets better. “In the short term, the problem is going to get worse but in the long term I think there will be solutions to this,” he said. “There’s more money being spent and smart people now paying attention to the problem.”

By Gordon Smith