Latest Identity Theft Scams
ID Theft Resource
Spyware, Keyloggers and Identity Theft
Taking a closer look at spyware and keylogger programs
Spyware is a category of software applications that are designed to record a user’s habits while they are online. These habits are then reported back to the spyware initiators. There are a number of resulting adverse effects. Some spyware programs will produce unwanted ad pop-ups and other forms of browser hijacking. Others will create serious security breaches. These can include: keystroke logging, personal data compromise and dialup ISP phone numbers changed to expensive toll phone numbers. Backdoors can also be installed in order to allow an entrance for hackers.
A computer is usually infected with spyware when “free” software is installed from a criminal website. The user will believe that they are getting illegal software from a hacker site (“warez” sites). However, any downloaded software is a potentially infected program that will allow a hacker access to the infected system. Other spyware sources can include: online games, download managing programs, instant messaging, peer-to-peer software and porn/crack websites. Most spyware is aimed at Internet Explorer by Microsoft. However, spyware can also be found that targets other browsers (Apple Safari, Mozilla Firefox, etc.). But this happens much less frequently.
Recent methods of infection require no user interaction at all. These are known as “drive-by” downloads (See: reference 1). Here, the spyware is attached to the user’s system just by visiting an infected website. Other way to become infected include: clicking on an infected pop-up, opening a zipped file or by clicking on an infected Java Applet or Active X file. Spyware can even be hidden in an image file or inside the drivers of new hardware.
Spyware spying techniques
Different spyware programs will function differently, depending on the software. Some forms of spyware will simply gather and transmit information. This may be solely for marketing databases. Others can be used for serious criminal purposes. In all cases, however, the spyware will make an attempt to identify the information sent across a network. This information will need to be linked to a unique source. This source can be a cookie located on a hard disk or some form of a Globally Unique Identifier (See: reference 2). The user’s logs are then sent to source that is analyzing the information. This information will usually include: usernames, passwords, IP address, GUID, hostname and various pertinent keystrokes.
Keylogger types
Keyloggers are software applications designed to record and transmit user keystrokes. The transmitted information may contain sensitive personal financial data. It may even transmit source code from software development companies. Keyloggers are not new, by any means. But they are getting renewed attention due to the growth of spyware use. Particularly, because of how easy a computer can become infected. There are three types of keyloggers:
Kernel or driver keyloggers are located at the kernel level. This means that it gets data from an input device. This will usually be the computer’s keyboard. The keylogger software will replace the interpreting keystroke software. This keylogger will remain undetectable since it comes up when the computer is booted. This happens before any user-level detection software is started. A disadvantage to this type of keylogger is that it can’t capture auto-complete passwords. This is because that type of data is passed in the computer’s application layer.
Hardware keyloggers are devices that are connected between the computer and the keyboard. Their small size can allow them to go undetected for extended periods of time. Their disadvantage lies in the fact that one would need to have physical access to the computer. Hardware keyloggers can capture hundred of keystrokes. As such, they can compromise passwords and banking information.
Software keyloggers that use a “hooking” mechanism utilize the SetWindowsHookEX() function. This Windows function is used to monitor all system keystrokes. This software is usually packaged in the form of an executable file. This file will initiate the Windows hook function. An additional DLL file is used to initiate logging functions. Auto-complete passwords can be captured with this software.
Keyloggers in the news
In 2008, the sale of a keylogger known as “RemoteSpy” (from CyberSpy Software) was temporarily halted by a U.S. District Court (See: reference 3). This was done at the request of the Federal Trade Commission (FTC). The allegation was that the RemoteSpy software violated the FTC Act.
The complaint was filed in by the FTC on November 5 and alleged that the software could be maliciously and remotely deployed. The FTC Act would be violated by software that can be installed without the user’s permission. The installed software could then be used to secretly collect personal data pertaining to the user. The allegation also accused CyberSpy of illegally gathering and storing personal data collected by RemoteSpy.
References:
1. “Sophos Security Analyses,” Sophos, http://www.sophos.com/virusinfo/analyses/
2. “GUID – Globally Unique Identifier,” Audit My PC.com, http://www.auditmypc.com/acronym/GUID.asp
3. “District Court Halts Keylogger Spyware Sales, CNET News, November 17, 2008, http://news.cnet.com/8301-13578_3-10099123-38.html