Tyler Moffitt, Senior Threat Research Analyst at Webroot
The benefits of cryptomining
Rise of ‘cryptojacking’
Cybercriminals have learned to take advantage of this mechanism and will hijack websites to host scripts that pay into their own Monero wallets. Unlike attacks like ransomware, there is no malware delivered and users are unaware that their machines have been recruited to mine when they visit the website. They may experience slower browsing speeds, but on newer machines this may go unnoticed. This ignorance allows the practice to go on for extended periods of time without detection and offers very low risk to the criminal, as Monero has the best mining performance on home user CPUs. It also has a private blockchain ledger that prevents tracking of transactions allowing anonymity that can then be traded for Bitcoin. However, the practice is not without risk to equipment. Mobile devices that browse these sites can suffer physical damage due to heat. CPU chips can burn out and batteries can bulge, become unstable and dangerous.
The lurking insider threat
In addition to cybercriminals, CISOs need to be concerned about employees who may inadvertently pose a threat to the company. The financial gains associated with mining cryptocurrency have not escaped the imagination of tech savvy employees, who may use company laptops to mine Monero in the workplace. This may generate a few cents per day for the employee, but cost the company significantly more in terms of processing power. These costs are then reflected in increased energy bills and it can be difficult to identify the culprits. Employees may not have malicious intentions, but due to lack of education and understanding of the risks, their actions can have negative consequences for the business.
Education and blocking scripts are the best defence
The incentive for CoinHive to ensure that their scripts aren’t being used by malicious actors is unfortunately quite low, as they receive 30% of the mining profits regardless. As a means of safeguarding the practice, they have implemented ‘mandatory’ opt ins, (hosted by CoinHive rather than the website owner) without which the miner is unable to act. However, cyber criminals seem to have found methods to suppress or circumvent the opt-in, so compromised sites won’t necessarily prompt visitors to accept terms or make them aware. In addition, there are more surreptitious methods emerging every day, allowing ‘cryptojacking’ sites to evade user detection, such as hiding pop-up windows under task bars.
The only way to stay one step ahead of ‘cryptojacking’ is by implementing a comprehensive and multipronged approach which combines intelligent technology layered with employee education. Software can be used to block sites which run CoinHive scripts as well as any CoinHive copycats, such as the nearly identical Crypto-Loot service. In addition, web browser extensions can be used, such as Adblock Plus, where personalised filters can be used. For more advanced control, extensions like uMatrix will offer more flexibility over which scripts, iframes, and ads to block. However, technology itself isn’t a silver bullet and employees should be made aware of the ramifications of their actions and be discouraged from practicing cryptomining.
Cybercriminals are only becoming more innovative in their tactics and businesses cannot afford to be caught off guard by emerging threats that may lurk in their own internal environment. ‘Cryptojacking’ is beneficial to cybercriminals as it is both lucrative and covert and the effects are only recognised retrospectively. Intelligent monitoring and blocking of websites (without interfering with the user experience) coupled with education will ensure that companies remain vigilant against this type of emerging threat.