IT Services

Guidance for dealing with keyloggers


These days it is extremely common to encounter sophisticated malicious software that has been designed to capture and transmit data such as passwords and bank details. Attackers are frequently making use of captured details, primarily for financial gain, but not necessarily through the traditional methods of fraudulent credit card purchases or withdrawals from bank accounts; almost any information captured potentially has value.

This document is intended to give some advice to those whose systems have been infected with such malware. If you have been affected then we encourage you to follow the advice in order to reduce the risk of your accounts being attacked. We appreciate that the advice may seem daunting, but in the long-term it may save you work. Please do not be afraid to approach your IT officer or the OUCS helpdesk for assistance or further advice.

One first piece of advice is that if you believe your machine is infected with such malware, for example if you have been told by an IT officer that your machine is blocked for this reason, do not try to connect it to a network elsewhere until it has been cleaned. There may be data that has been captured and is stored on your machine but not yet transmitted to the attacker's site. There is nothing to be gained by giving them more of your passwords or other data.

1. Changing Passwords

Any passwords that have been exposed will need to be changed as soon as possible, however do remember that this needs to be done from a machine that is free of malware. If in doubt you may wish to talk to your IT officers about where they recommend you do so. Remember, you should not enter these passwords again on the machine that was infected until you are confident it has been effectively cleaned.

Please note that all passwords for University (or College) systems that have been entered via a machine compromised with keylogging malware MUST be changed. If you are at all unsure as to whether a password may have been entered via the system, change it. University IT staff may confirm that such action has been taken.

2. Saved Passwords

If you are in the habit of saving passwords inside your web browser or other software, it is likely that the attackers may have captured this list of saved usernames and passwords, so these will need changing, it is often possible to get a list of sites for which you have saved your password, in firefox, you can do this from the Preferences dialog box under Security/Saved Passwords. In Internet Explorer this list is unfortunately not easily accessible.

3. Other Passwords

There are many different services for which you may have usernames and passwords, here are a few types of account that many users may have (and may have entered onto the infected computer), this may help to remind you of passwords you might need to change:

4. Other information

Loss may not be limited to passwords; depending on the malware in question, potentially any information entered, stored or processed on an infected computer may have been disclosed to an attacker. Information may have been stolen from online services if the attackers have gained access to the password for that services.

Online banking sites commonly use more than just a single password to authenticate users, but these days malware is extremely sophisticated and able to capture any additional information you supply when logging in. This may include a password or code number from which you enter only certain letters or digits (over time, attackers can capture the full passcode), personal information such as your date of birth, favourite colour, mother's maiden name. If you have made any online purchases, credit card details have likely been captured along with expiry dates, CVV codes and passwords for authentication systems such as Verified by Visa or Mastercard Securecode.

Please also be aware that seemingly harmless personal information may aid attackers in getting control of certain accounts even if you have changed your password. Many sites these days allow you to reset a password by supplying certain personal information. For instance, OUCS use date of birth, University card barcode and a "security question" of your choosing. Many users have chosen to use simple questions such as their mother's maiden name or their dog's name for their security question, in spite of OUCS's advice not to do so. Such questions may be trivial for attackers to answer from other information they have captured; other questions such as "favourite colour" can be easy to guess.