Cryptojacking is a malicious action in which an infected device is used for hidden cryptocurrency mining. The attacker uses the processing power and bandwidth of the “victim”, i.e. your PC (in most cases this is done without your knowledge or consent). Typically, crypto-mining malware responsible for such actions is designed to use enough system resources to remain undetected for as long as possible. Because cryptocurrency mining systems require a lot of processing power to develop, attackers try to infiltrate multiple devices at once. In this way, they can gather enough computing resources to perform a low-risk, low-cost type of mining.
Earlier versions of the mining programs depended directly on the victim himself to click on malicious links or email attachments, accidentally infecting his system with a hidden crypto-miner. However, more sophisticated versions of this malware have been developed over the past few years, taking cryptojacking to the next level. Currently, most malware works through scripts embedded in websites. This approach is known as network-based cryptojacking.
Network cryptojacking
Network cryptojacking (also known as, incidental crypto-mining) is the most common form of crypto-mining malware. Typically, this malicious action is performed using scripts running on a Web site, allowing the victim’s browser to automatically mine cryptocurrency while visiting. Such network miners are secretly implemented on a wide variety of websites, regardless of popularity or category. In most cases, Monero – this cryptocurrency is chosen because its mining process does not require huge resources and computing power, for example, Bitcoin mining. In addition, Monero provides a higher level of privacy and anonymity, which makes it much more difficult to track transactions.
Unlike Ransomware, crypto mining malware rarely compromises a computer and the data stored on it. The most pronounced effect of cryptojacking is a decrease in CPU performance (usually due to an increase in fan noise). But for enterprises and large organizations, a decrease in CPU performance can make their operations more difficult, resulting in significant losses and missed opportunities.
CoinHive
Online cryptojacking was first discovered in September 2017, when a crypto-miner called CoinHive was officially unveiled to the public. CoinHive includes a JavaScript crypto miner that was allegedly created with a noble goal: to allow website owners to monetize their freely available content without relying on disgruntled advertising.
CoinHive is compatible with all major browsers and is relatively easy to use. The creators keep 30% of all cryptocurrencies mined through their code. The crypto keys then determine which account should receive the remaining 70%.
Although CoinHive was initially presented as an interesting tool, it soon received a lot of criticism due to the fact that it is now being used by attackers to mine several compromised websites (without the owner’s knowledge or permission).
In the few cases where CoinHive is intentionally implemented for good, the cryptojacking JavaScript is configured as an Opt-In version called AuthedMine, which is a modified version of CoinHive and which starts mining only after the visitor’s consent is obtained.
The rapid rise and fall of cryptojacking may be related to the work of cybersecurity-related companies, as many encryption codes are now blacklisted and quickly detected by most anti-virus programs. Moreover, recent analyses suggest that network cryptojacking is not as lucrative as it first appears.
Examples of Cryptojacking
In December 2017, CoinHive code was quietly injected into the Wi-Fi network at several Starbucks stores in Buenos Aires, as reported by customers. The script was mining Monero using the processing power of any device that was connected to it.
In early 2018, CoinHive was found to be mining YouTube ads through Google’s DoubleClick platform.
In July and August 2018, cryptojacking attacks infected more than 200,000 MikroTik routers in Brazil, injecting CoinHive code into a huge amount of web traffic.
How do detect and prevent cryptojacking attacks?
If you suspect that your processor is overloaded more than usual and its fans are making noise for no apparent reason, it is likely that your device is being used for cryptojacking. It is important to find out if your computer is infected or if cryptojacking is being used by your browser. While online cryptojacking is relatively easy to detect and stop, mining malware that targets computer systems and networks is not always easy to detect because it is usually designed to be hidden or masked, meaning it is considered sort of legitimate.
There are browser extensions that can effectively prevent most network cryptojacking attacks. In addition to being limited to network miners, these countermeasures are usually based on a static blacklist, which can quickly wear off as new encryption approaches are deployed. Therefore, it is also recommended to update the operating system, along with updates to anti-virus software.
When it comes to businesses and larger organizations, it is important to inform and educate employees about encryption and phishing techniques such as scam emails and phishing sites.
Bottom line:
Pay attention to your device’s performance and processor activity;
Install web browser extensions such as MinerBlock, NoCoin, and Adblocker;
Be careful with emails and links; Install a reliable antivirus and update your software and operating system;
For business: Educate your employees about encryption and phishing.
