Keylogging data vampire pleads guilty to bleeding two companies

A New Jersey man has confessed to creeping into businesses where he had no business going, planting keyloggers, and ripping off data from two companies working on hot new technologies.

The Department of Justice (DOJ) didn’t name the victimized companies – one’s headquartered in New York and the other’s in Texas, both with additional offices in New Jersey – nor what the “emerging technologies” are.

What it did say in its announcement: Ankur Agarwal, 45, of Montville, New Jersey, pleaded guilty in Newark federal court on Tuesday to two counts of obtaining information from computers and one count of aggravated identity theft.

First bite

According to court documents, it all started in June 2016, when Agarwal trespassed into Company Two’s New Jersey branch. He had somehow (fraudulently) gotten his hands on an access badge that enabled him to keep coming on in.

He installed a hardware keylogger, which he later came back to grab.

What Agarwal was after was logins, in order to get at valuable intellectual property. For starters, he got employee usernames and passwords. He also snuck his own computer and hard drive onto the company’s computer network.

This enabled him to install malware that does the same thing as the hardware keyloggers, or what’s called a digital keylogger. Whether they’re hardware or software, both tools give crooks a way to track everything that people type on compromised systems.

Then, using the stolen logins, Agarwal got into the company’s network and went after data from various employees, including the ones working on that hot new technology, and he ripped off what he could find. He also created and planted malware to transfer all that data back to himself. He also granted himself remote access, so he could get into the company’s network without needing to run the risk of physically popping in again.

On to a new neck

Agarwal used the same modus operandi on Company One: he snuck in to a New Jersey branch; plugged in hardware keyloggers; installed his own computer and a hard drive; and stole, transferred, and exfiltrated Company One’s data and information, including the hot new technology that it was developing.

This exfiltration went on from March 2017 to September 2017. Then, for a few months starting in January 2018, his sights were on two key targets: he went after, and got, access to computers used by Company One’s chief network engineer officer and by a network engineer.

Things started to unravel in April 2018, when the company’s network security team spotted the network intrusion and launched an investigation. An investigation that, given his keyloggers, Agarwal watched unfold.

He’s looking at two counts of obtaining information from protected computers, which carry a maximum potential penalty of five years in prison. He’s also facing one federal count of aggravated identity theft, which entails a mandatory term of two years in prison, which must run consecutively to whatever other jail time he gets. All three charges are punishable by a fine of $250,000, or twice the gross gain or loss from the offense.

Maximum sentences are rarely handed out. Argawal will be sentenced on 28 January.

Use antivirus – and your eyeballs!

Keyloggers are notoriously hard to detect unless the (innocent-looking, if visible at all) hardware versions are spotted. That makes them a common tool for everything from snooping on spouses to bank heists to multiple instances of kids hacking their grades and/or getting their hands on exams and test questions in advance.

Hardware keyloggers are literally child’s play to plug in. They’re cheap, they’re easy, and they’re often undetected at the typical targets – schools, universities, libraries – that all too often have paltry budgets for equipment, software and skilled administrators.

How do you protect against keyloggers? As far as the software versions are concerned, use reputable antivirus software to keep them out.

But as far as the hardware versions go, there’s no way for an operating system to detect such devices, which are plugged inline between a computer and a keyboard. Some of them are visible if you look at your USB or PS/2 port, though, which makes it worth asking: Does your workplace have a policy of regularly looking for the hardware versions of keyloggers?

Keyloggers aren’t the only mystery hardware you have to watch out for either, as Mark Stockley reveals in this week’s Naked Security podcast. Mark’s story about a mystery black box starts at [17′:19″].

Listen below, or wherever you get your podcasts – just search for Naked Security.


Click-and-drag on the soundwaves below to skip to any point in the podcast.