Cryptocurrencies such as Bitcoin have been the focus of acute attention recently. Just about everybody knows someone or has heard of someone making windfall profits from 2017’s spectacular price rises in Bitcoin and other cryptocurrencies. The sector has also not escaped attention from cybercriminals with incidents of cryptojacking rapidly escalating. Higher cryptocurrency prices increase the returns from coin mining, making cryptojacking an attractive target of cybercrime. IBM reported a 6-fold increase in cyptocurrency mining attacks between Jan-Aug 2017, and Wandera found a 287% increase on mobile devices between October and November 2017.
Cryptojacking is the hijacking of computer processing resources to mine cryptocurrency. Some cryptocurrencies, such as Monero, Zcash and Etherium, are easily mined with the typical resources of an average user – a PC or phone – as they support in-browser mining. Coinhive is legitimate software used for such mining – a tutorial for setting it up is here. This week, Kodak launched their cryptocurrency mining service at CES, utilising bespoke hardware.
Using a mobile phone or a conventional PC, especially through a browser, is not a very efficient way to mine cryptocurrencies. Serious crypto mining organisations utilise custom-made hardware with fast graphics cards for the intensive processing required. However, when criminals surreptitiously use large numbers of other people’s hardware at no cost to themselves, processing efficiency is not the most important criteria. Zero processing cost is more important to the criminal. Each hijacked phone or PC is used to perform only a small portion of the processing required for crypto mining, and by combining large numbers of hijacked devices, coins can be mined successfully, and eventually converted into cash.
It is when crypto mining is performed silently without the knowledge of the hardware owner, that it is a problem. Crypto mining consumes CPU cycles and slows down processing. It also consumes electricity and generates heat. The worldwide mining of Bitcoin for example, is said to consume as much energy as the whole of Ireland. Android-based cryptojacking code has been found to be so resource-intense that it can cause the device to overheat and the battery to bulge.
Cryptojacking is often carried out as a “drive-by”, when an unsuspecting user visits a webpage which covertly runs coin mining JavaScript in the background. Ad blocking company, Adguard, identified 220 websites carrying out drive-by cryptojacking, and claim that over 500m visitors to these sites have become victims. Examples include video streaming sites such as Openload, Streamango, Rapidvideo, and OnlineVideoConverter. CBS’s Showtime has also been found with drive-by cryptojacking script.
The more sophisticated drive-by cryptojacking scripts generate a hidden pop-under browser window in order to keep the scripts running in the background even after the user has navigated away from the page.
In addition to drive-by scripts, cryptojacking code can also be imbedded into browser extensions. Popular Chrome extension, Archive Poster, a Tumblr reposting tool, carried out clandestine cryptojacking attacks. The extension has over 100,000 users.
Cryptojacking code can also be part of malware installed on the target device. An example is a variant of the ELF Linux/Mirai malware. Infected devices make up the Mirai botnet, each performing a small portion of the cryptocurrency mining calculations. Kaspersky estimate that a botnet of 4,000 PCs can generate $30,000 per month through coin mining.
Public Wi-Fi is a channel through which devices can become infected with cyyptocurrency mining code. CoffeeMiner is a proof of concept which injects scripts into the browsing sessions of users connected to the public Wi-Fi point, and performs cryptojacking.
Some researchers claim evidence of North Korea engaging in cryptocurrency mining attacks – such as this one which mines Monero. The code attempts to send mined coins to Pyongyang. However my view is that a North Korean involvement is far from convincing, and it is more likely to be a smokescreen to mislead security researchers. My viewpoint on North Korea is that their society is not one which would produce great cyber hacking skills, and most warnings about a North Korean cyber threat are greatly exaggerated.
Despite dire predictions from Warren Buffett and others, many expect cryptocurrency prices to continue to rise (with wild fluctuations) during 2018. This will ensure that cryptojacking remains on the rise for the foreseeable future. Just as water finds the shortest route downhill, so too will cyber criminals seek out and exploit opportunities – you can count on it.
Leave a Reply