Anti-Keylogger Trick
Most Filipinos access the Internet through Internet cafes of wildly varying quality — from posh luxury gaming centers to dingy little holes-in-the-wall (mostly the latter). The wide low end of that spectrum is a fertile password-hunting ground for keyloggers. Right now, Filipino script kiddies steal passwords to play infantile pranks on newbies’ social network and game accounts. As a fourth of the population moves online next year with social media advertising and RMT on the rise, things could get serious. That’s why hotseating Filipino netizens should use this anti-keylogger trick.
For example the segment
www.hotmail.comsarahj7@hotmail.comsnoopy2
tells the logger that sarahj7@hotmail.com has password “snoopy2� at hotmail. By parsing the string for common domains such as hotmail, paypal, amazon, fidelity, the task is made even easier.
Between successive keys of the password we will enter random keys. In the spirit of chaffing and winnowing, the string that the keylogger receives will contain the password, but embedded in so much random junk that discovering it is infeasible. Observe that we are not exploiting a particular feature of any particular browser: this trick works with all versions of Internet Explorer, Netscape Navigator and Mozilla Firefox. We are exploiting the difficulty from the OS layer of determining how the GUI of an an application handles events. Here, then is the method:
Navigate to the login page desired;
Type in the userid;for (each pwd character){
Give focus to anywhere but the pwd field;
Type some random characters;
Give focus to the pwd field;
Type the next character of the pwd}
Submit;It involves typing random characters between successive characters of the password, and changing focus to and from the password field using the mouse. Instead of the password snoopy2 the keylogger now gets:
hotmail.comspqmlainsdgsosdgfsodgfdpuouuyhdg2
If you’re ever forced to enter a password at an unsecured public terminal (as millions of Filipinos are every day), limber up that mouse wrist and get ready to type lots of gibberish.
(Via Dan Cameron.)
|
Like This Post: Share This Post:  Tweet This Post Share on Facebook Stumble This Post Post to Reddit
|
Will not work if the person who installed the keylogger is using a more sophisticated keylogger application.
I saw a couple of freeware and shareware keylogger apps that can track everything.
The simplest of these apps, I was able to figure out the password typed in 30 mins after reading the log file. One good way is to simply duplicate the process as is written in the log file.
Now it is up to the person if s/he will be patient enough to decode the numerous random and not random clicks, tabs, typing, etc.
Simply, keyloggers will log where and when you clicked and/or tabbed where and when, even if you clicked on another browser window, or tabbed to another browser-tab. If you scroll, typed in notepad, typed in command line, run, etc.
^_^
Oh, basically, there is really no other way to be secured in a public terminal unless you can do a restore of the system from it’s very first state when it was first booted after a fresh reformat and installation.
That’s why I only trust a very few iCafes in the Metro Manila, and I don’t log in sensitive stuff at terminals that I can easily install and edit the startup system.
^_^
Actually, this is a good idea. Another method is to copy and paste some letters of the password from text on the screen, or from different applications.
No need to disclose your password to an Internet cafe: http://kyps.net