The term ‘cryptojacking’ is an intriguing one, a blend formed out of two words: ‘cryptocurrency’ and ‘hijacking’. It is defined as the secret usage of your device for mining cryptocurrency. Hackers can hijack your device without your consent or knowledge and mine cryptocurrency for their own benefit. This practice of illicit crypto-mining has become the hot new way for cybercriminals to make money using another system’s hardware.
The malware is becoming increasingly common and works in the background while you use your web browser as usual. The only symptoms that may appear are an occasional slow performance of the system and high electricity bill. There will be no ransom notes, no data loss, no stolen passwords. The mining code might be running in your web browser right now while you read this article.
The Perfect Crime
A ‘perfect crime’ can be carried out when all it’s component pieces fall into place. The same happened in early 2017 when a hacker group released a large number of NSA created hacks into the wild. This flush release included EternalBlue, which made hacking into Microsoft Windows extremely simple.
On the other side, some cryptocurrency investors were not satisfied with the lack of anonymity of Bitcoin. Thus, Monero was developed. An alternate coin that is better at hiding the track of transactions and criminals love it.
The last piece in the wicked endeavor comes together with the fact that all blockchain based systems support the transaction processors which are known as miners. They receive a payment in cryptocurrency of their choice.
Thus, all components come together for a new strategy invented by the global hacker community to make money by illicitly mining Monero coins on unsuspecting computers around the world. And there is no way to track or confirm is your system is being used for this activity. There will be no stolen files or lost data, only a random slowness in performance.
Decoding the Threat
The most dangerous part of cryptojacking is that it is extremely easy and untraceable. It doesn’t require any kind of download, starts instantly and works efficiently. There are a few ways to go about it, but ultimately it functions on the idea of using unaware systems to mine cryptocurrency. Thanks to the in-browser miner, Coin Hive, implementing its ease-of-use has not lived up to its aims, rather the technique is being used negatively.
Crime is not far from where easy money can be made. The simplicity of illicit cryptomining has increased in popularity as it replaces ransomware as the attack vector of choice, especially now that cybersecurity vendors have developed applications for ransomware protection. Thus, to run a cryptocurrency miner on some CPU is comparatively an effortless task, rather than infecting it with ransomware and steal data.
The cryptojacking practice is evolving in sneaky and concerning ways. Since it is new, hackers are constantly working on innovative ideas to maximize their profit intake. The high processing demands of mining can do actual damage to the victim’s device.
Building a Botnet
A large number of compromised systems that work together as a tool for hackers are called ‘botnets’. But in this case, each system works independently, and the hacker has to install many systems as miners because each can generate only a small amount of revenue. In theory, many botnets that include millions of systems can generate $ 100 million dollars in a year. And this requires very minimal effort, and more importantly, very little chance of being detected.
Researchers at Proofpoint have traced families of botnets that exploit resources, the most damaging one being Smokin Ru. They predict these activities will continue, given the profits being made and the infrastructure of the botnet. It targets the Windows Management Infrastructure (WMI) using the NSA hack EternalBlue, mounts a phishing attack with an MS Word attachment, runs a Macro executing a Visual Basic script which will run an MS PowerShell code that works the miner.
WannaMine is another known worm that misuses WMI weaknesses. This is more sophisticated in nature, does not include any file download, and uses genuine software which makes it harder to track. Making things even more insidious, hackers can also sneak a mining code on unsuspecting websites and pilfer cryptocurrency off of the legitimate site’s traffic.
What can you do?
It is still doubtful to say whether the act of cryptojacking is illegal, but it is surely unethical. But how would you know if your system is being used?
Check the CPU utilization of your device. Users who are cryptojacked will see a drastic increase from a normal 14% to 95%. Also, their devices will be drained out of battery really fast or get heated with increased use.
Below are a few techniques that can be used to safeguard your device from malicious mining hackers.
ii. Use Chrome extensions that block mining activity. For example No Coin or MinerBlock.
iii. Use a specific script blocker which will block the mining script from running, like NoScript or uBlock.
iv. Move to a safer web browser, like Brave.
The best thing that should be done is spreading awareness and educating oneself about the problem. Only then appropriate action can be taken for prevention and control.
In the News
Various incidents have been reported around the world that the experts believe are instances of cryptojacking. Read a few below.
In early December 2017, the public WiFi of a Starbucks in Buenos Aires was found to be manipulated to mine Monero on devices of innocent shoppers.
A rogue staff at a European Bank earlier this year had set up a crypto mining system that left unusual traffic patterns on its servers and slowed the night time processes. The bank’s diagnostic tools did not discover anything, the setup was found after a physical inspection of the data centers.
Avast software reported that cryptojackers are using GitHub as a host. They created forked projects through legitimate ones and used a phishing scheme to lure people into downloading the malware in the name of a Flash update or the promise of a jackpot win.
A Chrome extension called Facexworm was found to be using Facebook Messenger to infect user systems by Trend Micro. It targeted cryptocurrency exchanges and could deliver cryptomining codes. It uses infected accounts to send out harmful links, can also steal credentials, and inject cryptojacking codes into web pages.
Future of Cryptojacking
The nature of this cyber attack may not seem that pressing initially, but its ability to fly under the radar is what makes it all the more dangerous. There will be a time when criminals will expand their reach using every system possible for mining activities, resulting in patches of computing infrastructure collapsing under the weight of multiple botnets trying to use their resources. Thus, every system will be indirectly responsible for the fortune of criminal enterprises across the globe.
This problem is so harmful, that all known security techniques may fail to stop it from the impending doom. The only solution is for the government to simply terminate cryptocurrency itself.