How attackers hijack accounts with keyloggers and malware
This is the third article in a four-month series on how attackers hijack TMU accounts. Check out the first article on how attackers hijack accounts using password-guessing and the second article on how attackers hijack accounts with phishing.
By: Brian Lesser, Chief Information Officer
Keyloggers and malware are two effective ways that hackers gain access to your passwords and hijack accounts.
What are keyloggers and how do they work?
A keylogger is a small device that records everything typed on a keyboard and is a common way to steal passwords. Lately, there’s been an increase of stories in the press about students who break into their professors’ offices and install a keylogger on the professor’s computer.
Once the keylogger records the professor’s password, the student uses it to login and change their grades - and sometimes the grades of their friends.
In a well-known example, in 2015 a student was convicted and then jailed after using a keylogger to increase his exam marks (external link) . Keyloggers have also been used in libraries and other places to hijack accounts. Concordia reported keyloggers in their library last year (external link) .
More recently, the University of Alberta discovered malicious software designed to capture usernames and passwords (external link) had been installed on 304 university lab and classroom computers.
Malware and credential theft
Malware, including ransomware, now routinely tries to steal login credentials along with whatever other harm it is trying to accomplish. For example, one type of ransomware (CryptXXX) looks on disks and in memory for the following types of credentials:
- browser data (history, cookies, stored credentials)
- download manager's credentials
- email credentials
- FTP credentials
- IM credentials
- poker software credentials
- proxy credentials
- remote administration software credentials
- VPN credentials
Password-sniffing malware can find its way onto your computer via poisoned downloads, file sharing services and email attachments. Perhaps you’ve opened an email attachment that needed to run a macro or that needed to “update this document with the data from linked files.” If so, you may have installed malware on your computer.
CCS detects new malware-infected machines on TMU’s network almost every day. In many cases, the owner of the machine has no idea their computer was infected. We often have to scramble to ensure everyone who used the compromised machine changes their passwords.
Protecting your TMU account
The best defence against keyloggers, malware and other attacks against your account is to use two-factor authentication for all applications. It’s also a good idea to occasionally inspect your workstation for tampering and to keep your office locked when you aren’t there. Also, keep your antivirus, operating system, browser and other software updated.
Here are some links to help you better protect your TMU account:
In the next and final article in this series I’ll describe some of the things attackers can do with your account if they succeed in hijacking it.
This article was originally published in the Ryerson Works employee newsletter on November 2, 2017. It has been updated to reflect the new university name.