How They Work and How to Detect Them

Bart Lenaerts-Bergmans - February 2, 2023

Keylogging and Keyloggers

Keyloggers, or keystroke loggers, are tools that record what a person types on a device. While there are legitimate and legal uses for keyloggers, many uses for keyloggers are malicious. In a keylogger attack, the keylogger software records every keystroke on the victim’s device and sends it to the attacker.

An infamous keylogger attack uses a type of malware called DarkHotel. Hackers target unsecured Wi-Fi at hotels and prompt users to download the software. Once downloaded, DarkHotel acts as a keylogger and reports keystrokes to the hackers. After a certain number of recorded keystrokes, DarkHotel deletes itself from the device. That way, it doesn’t remain on a device for too long and can avoid detection.

It’s important to protect yourself from keylogger attacks used by malicious users. Because keyloggers can record and quickly identify sensitive information, they are a significant threat to cybersecurity. To protect yourself, it’s important to know what keyloggers are, how to prevent an attack and how to remove a keylogger if you are attacked.

Your personal information is lucrative to cybercriminals, and cybercriminals use various strategies to try to gain access to your sensitive data. Spyware is one kind of cybersecurity risk where a malicious user attempts to gather information about a user to cause harm. Cybercriminals often use a keystroke logger as spyware to track a user’s actions without their knowledge.

Definition of Keyloggers

Keyloggers are tools that can record every keystroke that you type into a computer or mobile keyboard. Because you interact with a device primarily through the keyboard, keyloggers can record a lot of information about your activity. For example, keyloggers can track credit card information that you enter, websites you visit and passwords you use.

Keyloggers aren’t always used for illegal purposes. Consider the following examples of legal uses for keylogging software:

  • Parents might use a keylogger to monitor a child’s screen time.
  • Companies often use keylogger software as part of employee monitoring software to help track employee productivity.
  • Information technology departments can use keylogger software to troubleshoot issues on a device.

While there are legal uses for keyloggers, malicious users commonly use keyloggers to monitor your activity and commit cybercrimes.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

Information Captured by Keyloggers

When keyloggers run, they track every keystroke entered and save the data in a file. Hackers can access this file later, or the keylogger software can automatically email the file to the hacker. Some keyloggers, which are called screen recorders, can capture your full screen at random intervals as well.

Keyloggers can recognize patterns in keystrokes to make it easier to identify sensitive information. If a hacker is looking for password information, they can program the keylogger to monitor for a particular keystroke, such as the at sign (@). Then, the software only notifies them when you are likely entering password credentials alongside an email username. This technique helps malicious users quickly identify sensitive information without needing to sift through all your keystroke data.

Danger of Keystroke Loggers

Unlike other forms of malware, keylogging malware doesn’t damage your computer or operating system. The main danger of keyloggers is that malicious users can identify and exploit your personal information. The following examples illustrate some of the risks of a keylogger attack:

  • Hackers can steal credit card information and make unauthorized purchases.
  • Malicious users can log in to your email accounts and steal information or scam your contacts.
  • Hackers can log in to your bank accounts and transfer money out.
  • Malicious users can access your company’s network and steal confidential information.

According to the Federal Bureau of Investigation, nearly every national security threat and crime problem that they face includes a cyber component. A common threat that the FBI sees across a variety of industries is a business email compromise. In this kind of attack, threat actors send an email that looks like it’s coming from a known contact.  Then, they use social engineering and network intrusions to infiltrate companies.

One example of a business email compromise is when a criminal sends a message that appears to come from a known vendor. The message might include an invoice with a changed mailing address. If you don’t recognize the fraud, you could send payments to the wrong recipients. Cybercriminals with access to your accounts from keylogger attacks can be more successful because they can better imitate messages from vendors.

That’s why cybercriminals often use keyloggers to identify targets. By using a keylogger, cybercriminals can understand more about their victim to help guide a sophisticated attack. Social engineering strategies are more successful when cybercriminals use personal and business information to gain the victim’s trust.

Types of Keyloggers and How They Work

There are two types of keyloggers: hardware keyloggers and software keyloggers. The two types of keyloggers differ by the way that they log a keystroke. Both types of keyloggers can be used for malicious purposes, including credential theft and identity theft.

Types of Keyloggers

Hardware keyloggers are physical devices that record every keystroke. Cybercriminals can disguise them in the computer cabling or in a USB adapter, making it hard for the victim to detect. However, because you need physical access to the device to install a hardware keylogger, it isn’t as commonly used in cyberattacks.

Software keyloggers don’t require physical access to a device. Instead, users download software keyloggers onto the device. A user might download a software keylogger intentionally or inadvertently along with malware.

There are many different varieties of software keyloggers, including the following types:

  • Form-grabbing keyloggers record data entered into a field. This type of keylogging software is typically deployed on a website rather than downloaded on a victim’s computer. A hacker might use form grabbing keyloggers on a malicious website that prompts victims to enter their credentials.
  • JavaScript keyloggers are written in JavaScript code and injected into websites. This type of keylogging software can run scripts to record every keystroke entered by website visitors.
  • API keyloggers use application programming interfaces running inside of applications to record every keystroke. This type of keylogging software can record an event whenever you press a key within the application.

How Keyloggers Work

Keyloggers are spread in different ways, but all have the same purpose. They all record information entered on a device and report the information to a recipient. Let’s take a look at a few examples showing how keyloggers can spread by being installed on devices:

  • Web page scripts. Hackers can insert malicious code on a web page. When you click an infected link or visit a malicious website, the keylogger automatically downloads on your device.
  • Phishing. Hackers can use phishing emails, which are fraudulent messages designed to look legitimate. When you click an infected link or open a malicious attachment, the keylogger downloads on your device.
  • Social engineering. Phishing is a type of social engineering, which is a strategy designed to trick victims into divulging confidential information. Cybercriminals might pretend to be a trusted contact to convince the recipient to open an attachment and download malware.
  • Unidentified software downloaded from the internet. Malicious users can embed keyloggers in software downloaded from the internet. Along with the software you want to download, you unknowingly download keylogging software.

Safe Keyloggers

Keyloggers have a reputation of criminality, but there are safe and legal uses for keyloggers. While laws vary depending on the state or country, keyloggers are generally considered legal if you own the device. For example, you can monitor office computers if you own the business. Similarly, you can monitor your own computer even if other people use it. However, you cannot monitor a family member’s computer without his or her knowledge.

Another use case for safe and legal keylogging is during ethical hacking. Ethical hacking is a strategy where a hacker attempts to legally break into computers or networks. Organizations might use this strategy to test their cybersecurity.

Protecting Yourself from Keyloggers

With access to your personal information, malicious users can cause a lot of damage.

It’s therefore important to protect yourself from keyloggers so you don’t become a victim. The good news is that you can reduce the likelihood of an attack with behaviors and precautions. According to Verizon’s 2022 Data Breach Investigations Report, 82% of breaches involve a human element. By being aware of the dangers, you can bolster your cybersecurity and better protect yourself against keylogging attacks.

How to Protect Yourself Against Keylogging Attacks on Personal Devices

The best protection against keylogging attacks is education about how the attacks occur. Consider the following precautions you can take to avoid becoming a victim:

  • Verify that emails are sent from legitimate sources. Check for unusual email addresses and consider whether requests are legitimate. For example, question whether your bank would ask you to reset your password in an email. When in doubt, avoid clicking the link. You can still perform the requested action, such as resetting your password, directly from your bank’s portal.
  • Verify that websites are legitimate. Cybercriminals often create convincing fake versions of popular websites. Before entering personal information, such as a social security number, check that the website has a digital certificate to validate its security.
  • Use a unique and strong password. It’s important to use unique passwords so that cybercriminals don’t have access to all your accounts if a password is compromised.

In general, exercise caution. Before clicking links or downloading files, always make sure that the source is trustworthy.

Learn More

Learn how keylogging can be a critical part of a threat actor’s infiltration strategy in this blog post.Hunting Badness on OS X with CrowdStrike’s Falcon Real-Time Forensic Capabilities

How to Protect Yourself Against Keylogging Attacks on Public Devices

When using public devices, you should exercise even more caution. Public devices might not have the latest security updates or antivirus protection. A previous user also could have tampered with the device and installed a keylogger.

Avoid entering passwords and credit card information on a public computer. If you must enter sensitive information on a public computer, try to limit the damage of a potential attack. For example, consider changing your password when you can access your account from a private device. Or, use a single credit card for online purchases that you frequently monitor for stolen activity.

How to Protect Yourself from Remotely Installed Keyloggers

Hackers or governments can remotely install keyloggers and hidden malware on devices through strategies like drive-by downloads and fake software. Remote keyloggers can capture keystrokes and record audio using the device’s microphone. To prevent remote keyloggers, use similar strategies for preventing keylogging attacks on your personal devices.

Detecting and Removing Keyloggers

When cybercriminals use keyloggers, their goal is to be undetectable. If victims are unaware that someone is spying on every keystroke, they continue to enter personal information on their devices. However, there are some warning signs to watch out for that may indicate you have a keylogger installed.

Warning Signs to Help Detect Keyloggers

There are three primary warning signs that can help you detect keyloggers:

  • A slow browser
  • A lag in mouse movements and keystrokes
  • A disappearing cursor

If you experience these issues, you should check for keyloggers right away. To do so, take the following steps:

  • Use the Task Manager on PCs or the Activity Monitor on Macs. The Task Manager and the Activity Monitor are utility programs that show which applications and background processes are currently running. Review what’s running and end any applications or processes that are suspicious.
  • Inspect programs and features. Review which programs are installed on your device. If you don’t recognize one, research it online and uninstall it if necessary.
  • Scan your device using antivirus software. This software constantly scans for malware on your devices, removing it automatically.

You can periodically manually review active processes and installed programs, but hackers often make keyloggers appear like legitimate programs. Because of that, antivirus software is the most reliable way to monitor for keyloggers and other forms of malware.

How to Remove Keyloggers

It’s always better to prevent keyloggers before they take hold on your device. Prevention protects your sensitive data and limits the spread of other kinds of malware that could damage your devices.

However, if you identify a keylogger on your device, you should remove it immediately. Antivirus software removes any malware automatically. If you don’t use antivirus software, complete one of the following steps to manually remove a keylogger:

  • Uninstall the program from your device.
  • Clear temporary files.
  • Reset your device and restore it from a backup.

Tools to Prevent Keylogging

In addition to educating yourself about cybersecurity risks and taking general precautions, you should consider using the following tools to prevent keyloggers from being installed:

  • Use a firewall. A firewall is a security system that helps monitor network traffic for suspicious activity. Firewalls can help prevent keylogging by intercepting data that a keylogger attempts to send through the internet.
  • Use a password manager and update passwords frequently. A password manager stores passwords from all your accounts so you only need to remember the master password. With a password manager, you can use stronger passwords and update them frequently because you don’t need to remember them.
  • Update your system frequently. System updates to your operating system and applications keep malicious users from exploiting known issues. Make sure that you install updates as soon as they are available to keep your system protected.
  • Use antivirus software. Antivirus software prevents malware and can identify and remove malware faster than you can manually.

Protect Yourself from Keyloggers with CrowdStrike

Cybercrime is a threat that affects many people every year. According to a cybersecurity report from Abnormal Security, the number of cyberattacks continues to grow. In the second half of 2021, the report found an 84% increase in the number of business email compromise attacks. For organizations with over 50,000 employees, the report found that there was a 95% chance of receiving a business email compromise attack each week.

Individuals and organizations can inadvertently download keystroke loggers onto their devices during a business email compromise attack or other kind of cyberattack. The longer these malicious programs remain in your system, the more access that cybercriminals have to your accounts and personal information. It’s important to detect keyloggers early and to remove them promptly. You can minimize damage caused by keyloggers by taking precautions and using tools, such as antivirus software and firewalls.

A complete internet security solution is the best defense against keylogging. The CrowdStrike Falcon® platform can give you visibility into potential attacks across various hosts, cloud infrastructures and business applications. Learn more here.


Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.