{"id":22944,"date":"2018-07-03T10:44:51","date_gmt":"2018-07-03T14:44:51","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=22944"},"modified":"2019-11-15T06:35:34","modified_gmt":"2019-11-15T11:35:34","slug":"preventing-dangerous-screenshots","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/preventing-dangerous-screenshots\/22944\/","title":{"rendered":"The mystery of the black square"},"content":{"rendered":"

Hi folks!<\/p>\n

Can you guess what this is? It\u2019s not a vandalized version of Malevich\u2019s Black Square<\/a>.<\/p>\n

That black box is \u2014 more or less \u2014 what a screenshot taken by a suspicious application on a computer protected by Kaspersky Lab products, for example, Kaspersky Total Security<\/a>, looks like. Why?<\/p>\n

Our products protect screenshots because cybercriminals \u2014 and other cyberlowlifes \u2014 are really<\/em> interested in getting access to user accounts. The reasons vary (money, espionage, Herostratic<\/a> delusions of grandeur, spying on spouses\/competitors\/enemies, etc.), and the intruders use different means, but the end they seek is always the same: access to user accounts.<\/p>\n

But, you may be wondering, why does malware want to take screenshots? Sites and software products substitute dots for the characters used in a password, so what\u2019s the point?<\/p>\n

Actually, there are plenty of ways to get around those dots.<\/p>\n

First, users often have the option to see the entered password (\u201cshow password\u201d or some such). Second, many services always<\/em> show the last few symbols of a password. Third, some services replace the password with dots only when the user proceeds to the next entry field.<\/p>\n

Fourth, some services do not use masking dots at all, instead making the font size of the password field tiny \u2014 the idea is to make the password illegible to someone close by (unfortunately, that\u2019s no deterrent to malware). Fifth, a variety of lifehacks<\/a> and tools (like pwdcrack) let baddies turn off password-masking dots. All in all, the likelihood that a password will be shown on a screen is far from zero, and malware easily exploits that fact.<\/p>\n

Incidentally, the likelihood of someone looking over your shoulder, or of security cameras taking a peek at your password, is negligible compared with the threat of it being read by malware using a screenshot.<\/p>\n

Probably the most well-known banking Trojan, Zeus \u2014 as well as many of its clones<\/a> \u2014 includes this function in its tool set. For example, one of those clones, named KINS<\/a>, conducts an attack that takes screenshots not just when keys are pressed, but also when the mouse is clicked. That is, even if a virtual keyboard is used on a banking website for entering passwords or one-time codes, the malware can still work out the entered symbols.<\/p>\n

It\u2019s not just passwords, though. How about bank card details entered when buying something online? What about the security questions you\u2019re asked for authentication or to recover access to a locked account? Personal information? Message contents? The list goes on and on.<\/p>\n\n

Indeed, the humble screenshot is a major gateway to our private information and secrets; as such, protecting the information a screenshot can provide to outsiders is critical. Using functions such as Safe Money<\/a> and Virtual Keyboard<\/a> help, of course, but not everyone uses them \u2014 even some who consider themselves security-conscious. And anyway regular cybersecurity functions cannot guarantee total protection when cybervillains still have screenshotting in their arsenal. But we\u2019re ready and waiting for them.<\/p>\n

Most of our products include a patented technology that guards the API<\/a> functions that allow applications to take screenshots. Thus, if an application is trying to take a screenshot, this is what happens:<\/p>\n