Cryptocurrencies have taken the world by storm in the past few years, making it hard to miss all the buzz around Bitcoin and Blockchain technology. While the cryptocurrencies are far from new to cybercriminals, cryptojacking opens up new ways attackers can easily monetize compromised websites without the need to distribute malware.
For the uninitiated, cryptocurrencies are obtained either exchanged or mined. Mining cryptocurrency is the process by which transactions are verified and added to the public ledger called a blockchain. Since the mining process involves computationally intensive operations, the miner who solves the puzzle first reaps a reward.
Of course, it’s nothing new for malware to mine cryptocurrency en-masse (of course, benefitting the cybercriminals, not the malware victims). However, the capabilities and speed of modern browsers have enabled attackers to simply place scripts that mine cryptocurrencies on as many websites as possible, and reap the rewards of the compromised websites’ visitors’ CPU cycles.
Cybercriminals do not even need to pull-off advanced attacks since cryptojacking turns even the most trivial cross-site scripting (XSS) vulnerabilities (especially stored XSS), into a very effective monetization opportunity for cyber criminals, especially on high-traffic sites. Moreover, cybercriminals are smart to mine the Monero cryptocurrency instead of Bitcoin or other cryptocurrencies — this is because Monero, unlike most other cryptocurrencies, is memory-bound rather than CPU-bound. This means that in contrast to other cryptocurrency mining which typically requires specialized hardware to obtain good results, Monero mining can produce relatively good results on regular hardware.
While cryptojacking is not likely to make cybercriminals rich when attacking a handful of websites, wide-spread vulnerabilities in WordPress, Drupal and Joomla! plugins, cryptojacking certainly gives cybercriminals reason to try cryptocurrency mining at scale using nothing but a victim’s browser.
*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by acunetix. Read the original post at: http://feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/R7dxH3RvT0c/
Authors/Presenters: *Shradha Neupane, Grant Holmes, Elizabeth Wyss, Drew Davidson, Lorenzo De Carli Many thanks to USENIX for publishing their outstanding…
What really is cyber security and why doesn't the traditional CIA triad of confidentiality, integrity, and availability work? And what's…
The widespread adoption of cloud services has introduced cybersecurity challenges and compliance complexities due to various privacy regulations in different…
The RSA Conference 2024 is set to kick off on May 6. Known as the “Oscars of Cybersecurity”, RSAC Innovation…
Last week, we hosted Michael Tapia, Chief Technology Director at Clint ISD in Texas, and Kobe Brummet, Cybersecurity…
Authors/Presenters: Binbin Zhao, Shouling Ji, Xuhong Zhang, Yuan Tian, Qinying Wang, Yuwen Pu, Chenyang Lyu, Raheem Beyah Many thanks to…