Cryptojacking 101

Cryptojacking 101

As an end user, cryptojacking (cryptocurrency mining at someone else’s expense) poses a problem – someone is hogging up your computing power and immediately benefiting from you, without your knowledge.

To the miner, at first glance, this seems like a victimless crime, it’s a passive activity, and the costs seem minimal, and the returns are hard earned cryptocurrency to spend on the open, deep, and dark web.

However, mining this currency comes at a high cost due to computational expenses (GPU, CPU usage), electricity costs (Source), and time for the cryptojacking victim.

Clever companies and individuals are looking for ways to leverage other individuals resources to mine cryptocurrency through embedding cryptomining scripts into websites serving up anything from webstores to video streams.

Let’s step through the mechanics, economy, and potential mechanisms to counter browser-based cryptojacking.

The Mechanics of Cryptojacking

Cryptojacking is simple:

  • a user navigates to a website or service controlled by the miner,
  • a CoinHive or similar client-side JavaScript is loaded,
  • the user’s system resources are utilized to mine for cryptocurrency (Monero is the primary candidate for mining today via Coinhive),
  • Cryptocurrency is mined and added to the miner’s wallet

Cryptojacking 101

 

Infographic: ENISA

 

This is a departure from malware-based miners that get deployed via exploit kit, drive by downloads, phishing campaigns, etc. (Source)

There is no exploitation, just passive mining in the background of your seemingly normal browsing. In Coinhive’s own words, “Monetize Your Business With Your Users’ CPU Power”.

However, browser based cryptocurrency miners are significantly less efficient than native mining clients (Source).

The Economy of Cryptojacking

For cryptojacking to result in any meaningful gains for the miner, there are a few pre-requisites: high traffic sites, and users who will sit on a site/service for a significant amount of time.

When Cryptojacking scripts are deployed on high traffic websites – this yields real returns. For example, a high traffic site like The Pirate Bay with 315 million views per month would only net around $12,000 per month based on cryptojacking (Source). This is a site where users will likely only spend a few minutes (5 minutes, in Torrentfreak’s calculation).

However, sites where users spend a lengthier amount of time are prime candidates – as the cryptocurrency mining scripts this can make longer use of their CPU cycles. UFC fights (Source) and primetime television streaming sites (Source) have been identified as running cryptojacking scripts.

This makes good sense – users are likely to spend 30 minutes or even an hour or more watching content and not notice their CPU usage spiking as all they’re doing is watching content and not using their computer for other tasks.

The Darker Side of Cryptojacking

A few unique cases around cryptojacking have also emerged – where security researchers have observed this in the wild in unique places.

Recent research has identified nearly 2,500 webstores with Coinhive injected into them (Source). This is likely due to WordPress and Magento exploits (Source) allowing for a vulnerable site to be compromised with the Coinhive code. Notably, the majority of the compromised sites were mining cryptocurrency on behalf of two unique Coinhive users.

Browser extensions with 100,000+ installs have been compromised (Source).

In addition, a pizza chain’s website (Source) and even typosquatted domains are serving up cryptojacking scripts (Source).

Countering Cryptojacking

Blocking cryptojacking boils down to only a few feasible options, as noted by Arstechnica:

“People who want to avoid these cryptojacking scams can use Malwarebytes or another antivirus program that blocks abusive pages, install this Chrome extension, or update their computer host file to block coinhive.com and other sites known to facilitate unauthorized mining.”

However, clever adversaries are using proxies and redirects to obfuscate their Coinhive traffic (Source) and are still able to cryptojack end users.

An alternative could be a remote browser. Authentic8 has built a remote browser solution, Silo, to allow for access to the web via a remote browser running in a cloud-based virtual machine. This allows for complete endpoint isolation from arbitrary code such as Coinhive’s JavaScript making use of your hardware, electricity and any other maliciousness such as drive-by downloads, exploit kits, etc.

To learn more, contact our team.

This is a Security Bloggers Network syndicated blog post authored by Nicholas Espinoza. Read the original post at: Authentic8 Blog