A survey of keylogger and screenlogger attacks
in the banking sector and countermeasures to
them
Hugo Sbai
1
, Michael Goldsmith
1
, Samy Meftali
2
, and Jassim Happa
1
1
Oxford University, Department of Computer Science, 15 Parks Rd, Oxford OX1
3QD, UK
{hugo.sbai,michael.goldsmith,jassim.happa}@cs.ox.ac.uk
2
Universit´e de Lille 1, Centre de Recherche en Informarique, Signal et Automatique
(Cristal), Batiment M3 extension Avenue Carl Gauss, 59655 Villeneuve d’Ascq
Cedex, France
samy.meftali@univ-lille1.fr
Abstract. Keyloggers and screenloggers are one of the active growing
threats to user’s confidentiality as they can run in user-space, easily be
distributed and upload information to remote servers. They use a wide
number of different techniques and may be implemented in many ways.
Keyloggers and screenloggers are very largely diverted from their primary
and legitimate function to be exploited for malicious purposes compro-
mising the privacy of users, and bank customers notably. This paper
presents a survey of keylogger and screenlogger attacks to increase the
understanding and awareness of their threat by covering basic concepts
related to bank information systems and explaining their functioning, as
it presents and discusses an extensive set of plausible countermeasures.
Keywords: Keyloggers, Screenloggers, Virtual keyboards, Optical Char-
acter Recognition, Neural networks, SVM, Noise.
1 Introduction
Currently, banking data is digital, integrated into banking information systems
and accessible to employees, bank supervisors and customers. Thus, all users
of such an information system connect with passwords to their accounts and
get some privileges. The privileges can, for instance, be a simple consultation
of an account balance, closing or creation of an account or transactions of large
financial amounts from an account to another.
This simplicity of access and the large amount of money that can be ma-
nipulated or diverted by any malicious person with an adequate password make
these systems privileged targets of many computer attacks using various soft-
ware and malware. Among these, the use of keyloggers or screenloggers is often
particularly effective and dangerous for banking information systems.
Keyloggers and screenloggers are software used to capture and save, with-
out the user’s knowledge, keystrokes or screenshots into files. Most currently
2 H. Sbai et al.
available keyloggers are considered ”legitimate” applications and they are used
to fulfil many legitimate and legal functions such as tracking children’s use of
the internet, tracking cases of inappropriate use of business computers [29]. Yet,
they are very largely diverted from their primary and legitimate function to be
exploited for malicious purposes, and unfortunately, the theft of various online
payment systems credentials has become one of the main application of keylog-
gers/ screenloggers [4]. Many keyloggers/screenloggers try to conceal themselves,
and unlike other types of malware, they do not affect its functioning. Despite
that, they can be very dangerous for the user privacy and the organisation to
which the information system belongs.
A keylogger can intercept passwords or other confidential information en-
tered by the user with his keyboard, when a screenlogger is capable of capturing
screenshots. This information is then passed to the source of the malicious pro-
gram. This paper will only target the case of banking institutions, even if the
theft of such data can have very serious consequences in other sectors, for ex-
ample regarding economic and political intelligence operations, commercial or
state secrets, compromising the security in public and private organisations. To
the best of our knowledge, there is no document that provides a clear synthesis
of the current knowledge about screenloggers. This is the aim of this paper. The
existing works in the literature presenting an overview of this type of malware,
concentrate generally on keyloggers especially on the detection phase as in [29] or
on the processing and implementation details as in [30]. One of the originalities
of this paper is that it presents the vulnerabilities of screenloggers at all stages
of their operation, and focuses particularly on the most critical phase, which is
data automatic recognition.
The rest of this document is organised as follows: in Section 2 we define the
basic concepts related to keyloggers and screenloggers and their illegitimate use
against bank information systems. Section 3 aims to present the general func-
tioning of these attacks step by step and to propose countermeasures. Section
4 focuses on the data extraction process, showing the different techniques that
can be used, and discussing their weaknesses and possible countermeasures. Fi-
nally, in Section 5 we conclude by summarising the work and discuss potential
directions for future research.
2 Basic concepts
2.1 Keyloggers classification
Keyloggers : a keylogger might be either a piece of software or a hardware
component that monitors key presses on a computer. These details will be saved
into files and sent later to the person specified in the keylogger settings. We
distinguish two types of keyloggers: software and hardware ones.
Hardware (HW) Keyloggers: they devices connected to the keyboard or the
computer. Their detection needs a physical human verification [5]. These boxes
can intercept all the data transmitted by the keyboard including the recovery of
Keylogger and screenlogger attacks and countermeasures 3
BIOS password and bank identifiers.
The oldest ones are Module type keyloggers and have a PS2 interface; they are
usable on keyboards having this same interface [19], and often have a form ex-
tremely close to that of USB-PS2 adapters. There are also USB versions that
look like the USB/Wifi or USB/Bluetooth peripheral. A third form is less ac-
cessible to the general public but is quite efficient. It consists of a tiny electronic
card connected inside the keyboard. Lastly, probes can be used for side channel
attacks. For wireless keyboards, there is no need for a specific additional box
to recover the keys entered [9]. This can be done just by capturing the waves
emitted by the keyboard to communicate with the receiver and then decrypt the
communication, which employs weak encryption in most cases.
Software (SW) Keyloggers: they are much more common because they can
be installed remotely, e.g. via a network, and generally, do not require physical
access to a certain device for recovering collected data (the data can be trans-
mitted periodically by email) [12]. Although these keyloggers are more easily
detectable by other software tools, they still have more advantages than hard-
ware keyloggers.
A hardware keylogger is only capable of recording keystrokes out of context
i.e. that have no relation to the user environment. A software keylogger records
not only keystrokes but also the state of the target machine. The most targeted
applications are web browsers because they allow the recovery of usernames and
passwords (bank accounts login for example) [14]. One of the main strengths of
this type of keyloggers is that they can be deployed indifferently on computers,
tablets or smartphones.
Screenloggers (also known as touch logger, tap logger) : they are
a variant of keyloggers software [8]. Their main use is to take screenshots and
even make videos retracing all computers’ activity. A Screenlogger records the
movements of the mouse, along with screen captures during the click event.
2.2 Comparative evaluation between Screenloggers, HW Keyloggers
and SW Keyloggers
As shown in Table 1 below, screenloggers have some important advantages com-
paring to HW or SW keyloggers. Indeed, they can be used to affect a device
remotely and at a very large scale in the same way as SW keyloggers, providing
the hacker with a complete set of data and information. In fact, screenshots give
additional details, making passwords extraction much easier.
The only way to detect hardware keyloggers is to become familiar with these
devices or to check the device internally and externally [10] regularly. Even the
NSA catalogue published in late 2013 reflects the difficulty of finding one’s own
recording devices that are barely bigger than a fingernail. This constitutes the
main advantage of HW keyloggers, but still, the hacker must have physical access
to the device to affect it, this represents a significant drawback. For software
keyloggers, the infection tracks are the same as for other malware.
4 H. Sbai et al.
Table 1: Screenloggers vs HW Keyloggers vs SW Keyloggers: features, infection capa-
bilities and detection.
HW Keyloggers SW Keyloggers Screenloggers
Keys Yes Yes
Yes
but not their main use)
Use of multiple inputs
(mouse, pad, ..etc)
No No Yes
Screenshots No No Yes
System context No Yes Yes
Ease of infection **** * *
Large scale infection * **** ****
Ease of exploitation ***** *** *
Ease of detection by SW No *** ***
Ease of detection by user *** * *
2.3 Screenlogger attack against Banking Information Systems
The main objective of any hacker attacking a banking information system is to
steal confidential information such as authentication information. He could try
to remotely install a screenlogger program on a client device or directly on a
computer inside the bank [15]. This last alternative should give more privileges
to the hacker, but it is harder than attacking simple client account.
Fig. 1: Screenloggers operating process.
The most common process of a screenlogger might be separated into five steps
as shown in Figure 1. First, the hacker must affect a device, generally in a remote
way, using emails or any other files transmission technique [16]. Second, after the
malicious program has been installed, it will run as a background service. Then
comes the main job of screenloggers, which consists in recording screenshots at
regular periods or triggered by mouse clicks. The resulting captured screenshots
Keylogger and screenlogger attacks and countermeasures 5
might be treated or not on the host device depending on the nature of the
screenlogger. Finally, the raw or processed data is transmitted to the hacker
through the network.
Each of the above steps utilises a certain number of vulnerabilities to make
the whole process as efficient as possible. The objective of the next section is to
give more details about operating mode of each part, vulnerabilities used, and
with countermeasures that can be taken by users to protect their devices.
3 Screenloggers processing steps and countermeasures
At each stage of their operating mode, screenloggers exploit a number of flaws,
using resources to optimise their performance and ability to collect and quarrying
data [18]. However, there are measures allowing to minimise as far as possible
the risk of an infection by a screenlogger before its installation on the target
machine on the one hand, and a set of actions to detect the existence of malware
after infection, on the other hand, trying to reduce its damages.
The purpose of the current section is to give an overview of the weaknesses
used by screenloggers at each stage of their functioning (as seen in Figure 1) as
well as countermeasures that could be taken by the victim to ensure his safety.
• Device infection : the first step of a Screenlogger process is to infect the
target machine, as seen in Figure 1. The way in which such software gets
on a machine is quite similar to the infection by almost all modern mal-
ware. Indeed, a Screenlogger infects a machine (a computer, a tablet, or a
smartphone) through one of these main methods:
− Manual installation : it can be done when the hacker has physical
access to the device and the rights granting him the privileges to copy
and execute programs. This is practicable to a certain level for attacks
against people without specialised knowledge even about simple security
basics, and those who cannot afford to protect their equipment notably
against the theft.
− Transmission over the network : the Screenlogger can also be trans-
mitted on the target machine remotely, as is often the case, using a
network protocol such as emails, FTP or any other file transfer protocol
[12]. In all cases, the transfer is done without the knowledge of the target
machine owner.
− Transfer from storage devices : the malicious program can be trans-
ferred via a device such as a USB key, a memory card or an external hard
disk that the user connects to the device without being aware of the mal-
ware presence.
• Countermeasures to prevent device infection : although zero risks
can reasonably not be guaranteed on any machine connected to the inter-
net, there are nevertheless many measures allowing to reduce the risk of a
screenlogger infection substantially. As well as how a device can be infected,
these measures can be divided into three parts:
