Avatar

Your internet connection is slower than usual, your PC is also very slow, and you notice that your CPU fan is running faster when you are on a given website.

All the above symptoms indicate that you could be a victim of cryptojacking. This is a new kind of menace in which malicious users or the hosts of a given website try to capture the visitor’s computer CPU cycles to mine cryptocurrency like Bitcoin or Monero.

Cryptocurrencies are generally reliant on users “mining” – or dedicating CPU resources to solving a complex algorithm – to create new units. In effect, time and CPU resources are used to generate money.

What makes this attack stealthy and nasty is the fact that for the most part the end user is not even aware that this is happening to him. The websites make money at the expense of the user’s computing power. Ideally, it could be termed “theft of computing resources.”

The concept of “end-user” consent is not enforced which raises serious ethical concerns on this issue.

In addition to ignoring end-user consent, cryptojacking can cause wear and tear on their machine, potentially effecting the machine’s lifespan and performance. In an enterprise environment, this could equate to significant costs if large numbers of its machines fell victim to cryptojacking.

An overview of how this attack works

The malicious user plants a JavaScript on the web browser that uses up the CPU cycles to mine cryptocurrencies. The malicious user can start the process of mining and make free money!!!!

One legitimate script miner states that a website that gets a million visitors in a month may earn up to an average of $116 worth of Monero.

The diagram below illustrates how one threat actor can use a few lines of JavaScript code to hijack a multitude of innocent users’ computation power to make money mining cryptocurrency.

Some of the legitimate script miners have received negative press because they didn’t provide an opt-in or opt-out option to the visitors of web sites that run their mining technologies. Of greater concern, malicious actors have copied and injected the JavaScript into popular websites to take advantage of the sites’ large userbases. While one of the legitimate miners eventually stated that they would ensure that users are notified that their computers were being used to mine cryptocurrency, it still casts a doubt on the efficacy of this approach.

Some reasons as to why this is unethical and dangerous:

  • Cryptojacking is not only a threat but a theft when no opt-in/opt-out mechanism is provided to the user. Note that even with an opt-in approach, potential issues, such as computer wear and tear, cannot be ruled out
  • Gaining access to a user’s resources without his consent is deemed illegal in many regions including European Union. This would call for data protection and privacy laws to be revisited
  • If a user visits multiple sites with this kind of injected script and opens them in multiple tabs, then his system resources can be exhausted
  • The visitor’s computer’s performance may degrade over time as system resources are reallocated to mining processes

How to protect the systems

Some ways to protect your systems:

  • Use the Task Manager (Windows) or Activity Monitor (Mac OS X) utilities to monitor for sudden spikes in resource usage when visiting a given website. Such behavior could indicate that you are affected by cryptojacking by that site
  • Disable JavaScript in the browser
  • Browser extensions like “No Coin” are available on Google Chrome and Firefox

Threats like these indicate the need to be proactive in educating the users of the system to secure their browsers. The add-ons, themselves, could be used to deliver potential malware, modify the web page content, perform file execution, etc.

This calls for a greater diligence in sharing the do’s and don’ts with the users of the systems, having a best practice checklist, refined security testing strategy to detect these kind of stealthy issues, identifying vulnerabilities in the front-end code which can be exploited to make this attack even worse, and staying up to date with the security documentation of UI technologies like Angular JS, Java-script etc.

List of References

http://mynewsfit.com/what-cryptojacking-how-hacker-using-your-computer-and-mobile-phone-to-make-huge-amount-of-money/

https://www.wired.com/story/cryptojacking-cryptocurrency-mining-browser/

https://steemit.com/crypto/@fknmayhem/cryptojacking-the-new-advertising-alternative-for-ruthless-webmasters

https://www.theregister.co.uk/2017/10/10/cryptojacking/

https://www.pcrisk.com/internet-threat-news/11713-coinhive-innovative-but-abused



Authors

Harini Pasupuleti

Engineer

Security Engineering Organization