The New York Times Technology
Skip to article Welcome, vsauter2 - Member Center - Log Out
Technology Home Circuits Product Reviews How To's Deals

Cyberthieves Silently Copy Your Passwords as You Type

Published: February 27, 2006

Most people who use e-mail now know enough to be on guard against "phishing" messages that pretend to be from a bank or business but are actually attempts to steal passwords and other personal information.

Skip to next paragraph


Protecting Yourself From Keylogging Thieves (February 27, 2006)

Audio: What Is Keylogging? - George Waller, the executive vice president of StrikeForce, describes how keylogging works and an upcoming StrikeForce product aimed at preventing keylogging.

But there is evidence that among global cybercriminals, phishing may already be passť.

In some countries, like Brazil, it has been eclipsed by an even more virulent form of electronic con — the use of keylogging programs that silently copy the keystrokes of computer users and send that information to the crooks. These programs are often hidden inside other software and then infect the machine, putting them in the category of malicious programs known as Trojan horses, or just Trojans.

Two weeks ago, Brazilian federal police descended on the northern city of Campina Grande and several surrounding states, and arrested 55 people — at least 9 of them minors — for seeding the computers of unwitting Brazilians with keyloggers that recorded their typing whenever they visited their banks online. The tiny programs then sent the stolen user names and passwords back to members of the gang.

The fraud ring stole about $4.7 million from 200 different accounts at six banks since it began operations last May, according to the Brazilian police. A similar ring, broken up by Russian authorities earlier this month, used keylogging software planted in e-mail messages and hidden in Web sites to draw over $1.1 million from personal bank accounts in France.

These criminals aim to infect the inner workings of computers in much the same way that mischief-making virus writers do. The twist here is that the keylogging programs exploit security flaws and monitor the path that carries data from the keyboard to other parts of the computer. This is a more invasive approach than phishing, which relies on deception rather than infection, tricking people into giving their information to a fake Web site.

The monitoring programs are often hidden inside ordinary software downloads, e-mail attachments or files shared over peer-to-peer networks. They can even be embedded in Web pages, taking advantage of browser features that allow programs to run automatically.

"These Trojans are very selective," said Cristine Hoepers, general manager of Brazil's Computer Emergency Response Team, which runs under the auspices of the country's public-private Internet Steering Committee. "They monitor the Web access the victims make, and start recording information only when the user enters the sites of interest to the fraudster." She added: "In Brazil, we are rarely seeing traditional phishing."

According to data compiled by computer security companies in 2005, the use of "crimeware" like keyloggers to steal user names and passwords — and ultimately cash — has soared. The crimes often cross international borders, and they put Internet users everywhere at risk.

"It's the wave of the future," said Peter Cassidy, the secretary general of the Anti-Phishing Working Group, a consortium of industry and law enforcement partners that fights online fraud and identity theft. "All this stuff is becoming more and more automated and more and more opaque."

Mr. Cassidy's group found that the number of Web sites known to be hiding this kind of malicious code nearly doubled between November and December, rising to more than 1,900. The antivirus company Symantec has reported that half of the malicious software it tracks is designed not to damage computers but to gather personal data. Over the course of 2005, iDefense, a unit of Verisign that provides information on computer security to government and industry clients, counted over 6,000 different keylogger variants — a 65 percent increase over 2004. About one-third of all malicious code tracked by the company now contains some keylogging component, according to Ken Dunham, the company's rapid-response director.

And the SANS Institute, a group that trains and certifies computer security professionals, estimated that at a single moment last fall, as many as 9.9 million machines in the United States were infected with keyloggers of one kind or another, putting as much as $24 billion in bank account assets — and probably much more — literally at the fingertips of fraudsters. John Bambenek, the SANS researcher who made the estimate, suggested that the infection rate was probably much higher.