Keyloggers are computer programs that capture every keystroke a user types. This includes user-ids and passwords to sensitive information, like a user’s online bank account. When used by cybercriminals, these captured keystrokes are secretly transmitted back to the cybercriminal for their own dishonest use.
It was a keylogger that enabled cybercriminals to steal $400,000 from Village View Escrow last March. (See our blog post: e-Banking Bandits Target Title and Escrow Companies.) Most, if not all, of the online bank theft stories we’ve covered involve a keylogger used to steal online bank credentials.
There are several ways users can get their computers infected by a malicious keylogger. They are often surreptitiously installed as part of a virus or malware attack. Inadequately protected web sites can infect visitors with a keylogger. (See our blog post from April: Visitors to Web Sites Hosted by Network Solutions Again at Risk and August: Network Solutions Once Again Serves Up Malware.) There are even physical keyloggers that can be installed on a user’s workstation.
There are three specific things you need to pay attention to keep a malicious keylogger off your workstation.
- Diligently keep your workstation updated with security fixes. This includes your operating system (Windows or Apple), your application programs (like Adobe reader), and your browser add-ons (like Flash).
- Keep your anti-virus anti-malware up to date, Consider a modern intrusion prevention system able to counter the attacks that get by your anti-malware defenses.
- Be very suspicious of emails, particularly those containing attachments. If the email is not from someone you know and is not something you expect, then treat it the same way you would treat a suspicious package you discover ticking in an airport bathroom.
Today’s New York Times has an up-to-date overview of some new thinking about password security: A Strong Password Isn’t the Strongest Security.