Phishers Using Keystroke Loggers

Eh-Wire writes "Keystroke loggers are rapidly becoming the lure of choice for phishers. Their advantage is that they compromise information long before the information has a chance to be encrypted. "

Re:Challenge

[blogtim]

That's not a bad idea, though if they can log keystrokes, they can certainly log mouse movements. The problem with computer security is that everything is digitized. Even an eye scan or a fingerprint gets digitized at some point. That datastream can be captured and replayed.

Comment removed

[account_deleted]

Comment removed based on user account deletion

That's what I've heard

[SteelV]

I've been worried about this for quite some time. I know how easy it is for someone to put a small device between the keyboard and the computer, and no one would notice it in most cases (such as at a public library, university campus, or any other place where the computers themselves are accessible and used by the general population). And even if you check the rear of the machine, it's also possible that it's been compromised by a software keylogger that is much more difficult to detect.

I find myself, when on public machines, typing extra characters in my passwords and then using the mouse to highlight them and type over them. This makes my passwords (which are already random letters/numbers) seem longer than they really are with gibberish if they are logged as keystrokes. Unfortunately, some software keyloggers can detect exactly what the input into forms are -- this does not help with that. It is also quite a hassle, but what can I say? I'm a bit paranoid (but, I believe, right so).

Keylogging is the easiest way to get people's information. The only solution I see is to ensure all public machines are much more secure from the user's end, and to actually have the machine itself inaccessible (i.e. locked in a drawer, etc.). I guess the only 'perfect' solution (if there is one) would be to use a keyboard that is projected from an inaccessible area, so that it cannot be tampered with whatsoever.

Nothing's perfect, but we can do better than we're doing in public locations!

Re:Talented

[pv2b]

The reason they are doing "bad things" is because they can't get a job in the first place.

Not necessarily. It could just be that phishing might just pay more than doing an honest job.

Re:Challenge

[Em Adespoton]

The trick is that the web site would use the WinZip trick; the elements would be placed in random locations; after all, it's the data they need; the placement of the form elements doesn't really matter. If the phisher tried to re-create the mouse movements at a later date, they'd have a very low chance of clicking on the same radio button.

Re:Talented

[Avyakata]

That's not necessarily true...some people do "bad things" simply because they get pleasure from doing it. Maybe the enjoy the challenge?

Plus, if they have enough skill to phish efficiently and successfully, then they can probably get a job somewehere.

Summary misleading.

[Anonymous Coward]

Whoever wrote the article obviously didn't understand what he was writing about. The keylogger phenomenon has nothing to do with phishing.

dictionary.com entry
Main Entry: phishing
Definition: the practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization's logo, in an attempt to steal passwords [...]

You can install a keylogger to steal someone's passwords, credit card numbers, etc but calling it a trojan horse or a browser/email client exploit would be much more appropriate.

Here's an Idea...

[megarich]

Don't do any online banking....period! I'm too paranoid, anything that involves my direct bank accounts I do in person. I still do CC orders over the interet since at least with cc you can report fradulent charges and have them erased.

I was disappointed reading the article. I was hoping they would go into more technical details like how these programs work, and how to detect some of them. As some pointed out already, the article just merely states the obvious, people using whatever tehcniques they can to steal your information.

How about not wasting law enforcement?

[swb]

How about we not waste law enforcement [usdoj.gov] efforts on pointless enforcement efforts that will get nowhere and instead focus those efforts on internet-based crimes, such as the fraud/theft rings behind spam, phishing and other activities?

Easy Fix

[Usaflt2003]

A couple of easy ways to avoid this:

1. Don't use public access terminals for your important transactions.

2. Don't let you home computer become infected with tons of malware.

3. Go back to snailmail and telephones for those transactions... ok not a great solution but a logger can't get your bank password if your sending checks to pay your bills, reading paper statements and calling the bank for your balance.

Re:Scramble your keys

[slam smith]

Maybe if you suspect it has trojans, keyloggers etc, you should clean/reinstall the machine before you using it for sensitive work.

Phishers or miners?

[pg110404]

Their advantage is that they compromise information long before the information has a chance to be encrypted.

Ultimately how identity information is revealed aside, is this a phishing attempt or a mining attempt?

Phishing has traditionally been initiated by a cleverly socially engineered email or some form of communication, redirecting the unsuspecting user to a counterfeit site designed to harvest that information. Like putting a worm on a hook and dropping it in the water, you hope for someone to nibble at it.

Mining on the other hand is like picking away at the ground, in this case undetected, hoping to find that cache of gold. There's no guarantee that you'll even find anything, and once keylogging software is installed on the victim's PC, there is no user interaction with it. There is no social engineering to be done.

So therefore, wouldn't keylogging really be more mining than phishing? Or should I stop wasting my time on /. and forget about symantics?

Re:Secure keyboards

[merdark]

Bluetooth keyboards are encrypted, but that still doesn't stop software loggers, which are probably more common anyways.

Re:Challenge

[rsborg]

Replay attacks will become movies.

Replay attacks, AFAIK require exact positioning. Trust me, I've done test automation using replay software, and window position is a right bitch to deal with... esp. when form elements move inside a page of a browser you might as well forget it.

Plus randomization of relative positioning (ie, is it the left or right one) on each page can further increase this problem for phishers.

This concept of a crypto-turing test is a great idea.

Re:Challenge

[SirTalon42]

ZA will stop ask you if program X can access the internet using program Y. On the highest setting it will even monitor DLLs.

Though 90% of the users just click 'accept' w/o even looking at it enough to even see the 'remember this decision for this program' option, so they obviously aren't looking at the program name.

Re:Challenge

[badmammajamma]

Don't be so quick to judge customers about this convenience crap. I have complained to my bank that their site isn't as secure as it should be, nor is the basic use of credit cards even remotely as secure as it should be.

Why not give the customers the option of using a high security interface over the normal one? That way the people who dont' care about taking it up the ass can, and the people who do are covered too.

Personally, I use a password keeper. I never type my passwords...ever. They are generated in my password keeper (I use TK8 Safe) and then PASTE them wherever I need them. Keylog that bitches!

Re:Challenge

[gsasha]

It doesn't really matter. They'll just try and click a random button. They'll succeed in 1/100, 1/1000 of tries, who cares? That's enough to have a successful phishing operation.
Consider the current scams running through spam e-mail. The response rates from the users are miniscule, but the volumes are so large and their expenses are so low that they still stay profitable.
And you cannot make a graphical interaction with the user complex enough to make a random guess succeed in less than, say, 1/1000 of cases. Otherwise, it'll be so complex that legit users will get annoyed and go away.

Re:Can't exactly do that on a public terminal..

[fm6]

If you suspect a public terminal -- or any other computer you don't have admin access to -- has malware installed, then you should bloody well report your suspicions to somebody who can address the problem. And until your suspicions are addressed, the system is not a safe place to do sensitive work. Assuming that you can outsmart a keylogger is just plain silly.

Re:Challenge

[X0563511]

But the problem is that most people just don't think like that. They want it quick, easy, and secure.