TMCnet Feature Free eNews Subscription
June 18, 2018

Cryptojacking: UK Cyber Security Warns of PC Hijacking



Cryptojacking is the use of someone else’s CPU to mine cryptocurrency without their permission. This malicious practice has become increasingly rampant in Europe, Asia and the United States with the rise of cryptocurrencies like Bitcoin. According to an internet security threat report by Symantec (News - Alert) in March 2018, cryptojacking attempts increased by more than 8000% in the last year. In fact, 55% of businesses worldwide suffered from cryptomining attacks last December alone.



The business of mining involves solving highly complex mathematical problems which require immense computational power. Usually, devices which produce the required power are available for sale and are widely used by cryptocurrency miners all over the world. However, hackers or cyber criminals subscribe to using malware to input cryptomining code on the computers of unsuspecting individuals.

According to a report released by the UK National Cyber Security Centre and National Crime Agency, “Cryptojacking will likely become a regular source of revenue for website owners.” Hackers are not the only ones who have taken up cryptojacking. Website owners often collaborate with hackers to use the computers of their visitors to mine cryptocurrency. This allows a cryptomining script to be implanted on their sites while they take as much as 70% of the profits gotten from mining. In research, conducted by Troy Mursch, it was discovered that Coinhive, a cryptomining script was running on about 400 Amazon-hosted websites. Adguard also found up to 33,000 sites with a combined traffic of 1 billion monthly visitors, running these scripts

Although their operations are mostly secretive, some websites inform their users of their mining intentions. One example is Salon, the publication which announced to its users that it would make up for lost ad revenue by mining cryptocurrency with their computers if they had ad-blockers installed on their browsers. It is a significant concern that hackers and website owners will continue to mine cryptocurrencies without permission, both intentionally and unintentionally. 

How does Cryptojacking Work?

Cryptocurrency like Bitcoin is produced when blocks are added to the blockchain. This process involves solving increasingly complex mathematical problems in the form of hash values and receiving a monetary reward for doing so. Unfortunately, the process requires a significant amount of computational processing power which can be expensive to get in legitimate ways. Usually, hackers who want to claim these rewards infect various computing devices with malware that runs code to solve the complex problems.

There are two main ways in which hackers gain access to victim’s computers. One way is by tricking unsuspecting individuals into clicking on a link, either on websites or via emails that load the cryptomining code onto their devices. The other way is by loading self-executing scripts in ads and websites so that when the ad pops up, the victim’s device becomes infected automatically. Hackers use both methods at the same time to maximize returns. The loaded script runs the code in the background and sends the results to the hacker’s server.

The Threat of Cryptojacking

The use of malware to perform cryptojacking is something that cybercriminals have done for a relatively long time. However, recently, they have begun to use new techniques to exploit website visitors. Some examples of these techniques are highlighted below:

  • Thousands of websites used a screen-reading plug-in meant for users who were visually impaired, to mine cryptocurrency on their computers in February 2018.
  • Implantation of mining script in a Github forked directory which is disguised as an application update for users to download.
  • The use of Facexworm, a cryptomining malware that affects cryptocurrency exchanges and spreads malicious links through Facebook (News - Alert) messenger.
  • Deployment of the Roaming Mantis malware which uses DNS hijacking to run a Coinhive script on Android (News - Alert) devices and redirects iOS devices to a phishing site.  

In December 2017 at Bitcoin’s peak, more than half of all businesses around the world were affected by cryptominers. According to a report by NCA, “Popular websites are likely to continue to be targets for compromise, serving cryptomining malware to visitors, and software is available that, when run in a web page, uses the visiting computer’s spare processing power to mine the digital currency, Monero”.

Initially, hackers resorted to deploying ransomware to users’ computers and demanding a ransom to remove them. However, they quickly discovered that cryptojacking was a far more lucrative endeavor. In fact, the monthly profit can be placed at about $150,000. Coinhive also made $300,000 in its first month of deployment, and a mining bot known as the Smominru cryptomining botnet raised up to $3.6 million. A hacker would typically only receive ransom money from about 3-5 out of 100 ransomware targets, but with cryptojacking, all 100 machines can mine cryptocurrency, leading to huge payouts.

Hackers use less popular cryptocurrencies like Monero because it is more difficult to trace the transactions back to them. Its mining algorithm can also run well on various consumer devices. Although victims do not typically lose money to cryptojacking, the slow processing speeds that their computers incur as a result can greatly hinder productivity, especially in corporations. There is also an existing threat of the malware author updating it at any point into a banking malware that steals online banking credentials.

Signs and Preventative Steps

Cryptojacking can be difficult to detect because miners try to be secretive and unobtrusive so that their operations can go undetected for as long as possible. Cryptomining malware is usually run in the background, invisible to the user. Sometimes, the script runs in the browser extensions without getting logged on the computer, making it hard to run successful system diagnostics.

Signs of Cryptojacking

  • The most prominent sign of cryptojacking is the slower performance experienced by a computer’s user. Websites also take longer to load than usual.
  • Cryptojacking is often accompanied by a sudden jump in the CPU usage of the infected computer. Hackers usually carry out mining operations at night when performance spikes may go unnoticed.
  • A sudden increase in help-desk calls, and repair costs about slower computer performance and system overheating within an organization.

Preventative Action

  • Use anti-virus software or ad-blockers that are specifically designed to detect cryptojacking.
  • Implement Remote Browser Isolation (RBI) technology which uses a virtual browser. The virtual browser works by carrying out all operations in containers which are discarded after each session. This ensures that malware doesn’t reach a user’s computer and is discarded along with the container instead.
  • Train organizational staff to recognize phishing emails and sites with suspicious ads.
  • Run regular checks on computers, specifically for mining scripts.
  • Maintain browser extensions to prevent hackers from infecting them.

Final Thoughts

Cryptojacking continues to rise as a threat to consumers in the U.K. and the world in general as can be seen in activity from U.S, Japan, Germany and even Russia. Victims of these attacks usually have no inducement to take actions against the perpetrators because none of their information is currently being stolen. However, exposure to this type of malware leaves room for later modification of the malware to steal data like banking details. It’s crucial that users look for the signs of these attacks and take relevant action to protect themselves.



» More TMCnet Feature Articles
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE

LATEST TMCNET ARTICLES

» More TMCnet Feature Articles