Tyler Moffitt, Senior Threat Research Analyst at Webroot
Last year saw an unprecedented rise in the popularity of cryptocurrency, as the value of the currency soared across the market. In September 2017, CoinHive debuted a Javascript code to mine the cryptocurrency Monero, as an alternative means for website owners to generate revenue without using ads. Visitors to the site would opt into mining Monero using the power of their CPU. However, cybercriminals keen to monetise the trend have also recognised the potential rewards associated with cryptomining. As a result we have seen in an increase in ‘cryptojacking’ where the victim’s CPU power is used to mine cryptocurrency from hijacked websites. In the last eight months, there have been more than 5,000 websites that were compromised to mine Monero through CoinHive. In sharp contrast to the more familiar threats like ransomware, ‘cryptojacking’ offers a low risk, anonymous and profitable alternative attack vector where users aren’t even aware they have been attacked.
The benefits of cryptomining
Legitimate cryptomining is not considered dangerous as it does not pose a direct threat to files. To be profitable and efficient, specialised computers with enough processing power are utilised. Website owners who implement CoinHive’s Javascript code to mine, will generate income whenever users visit their sites. For websites with high traffic, the amounts generated can add up fast and be used to pay for server costs. However, this money doesn’t come out of thin air. Users will still be paying for it through CPU usage and the costs are reflected in their energy bills. These amounts tend to be very low due to the inefficiencies associated with cryptomining via a consumer computer, so the overall cost to each consumer tends to be negligible.
Rise of ‘cryptojacking’
Cybercriminals have learned to take advantage of this mechanism and will hijack websites to host scripts that pay into their own Monero wallets. Unlike attacks like ransomware, there is no malware delivered and users are unaware that their machines have been recruited to mine when they visit the website. They may experience slower browsing speeds, but on newer machines this may go unnoticed. This ignorance allows the practice to go on for extended periods of time without detection and offers very low risk to the criminal, as Monero has the best mining performance on home user CPUs. It also has a private blockchain ledger that prevents tracking of transactions allowing anonymity that can then be traded for Bitcoin. However, the practice is not without risk to equipment. Mobile devices that browse these sites can suffer physical damage due to heat. CPU chips can burn out and batteries can bulge, become unstable and dangerous.
The lurking insider threat
In addition to cybercriminals, CISOs need to be concerned about employees who may inadvertently pose a threat to the company. The financial gains associated with mining cryptocurrency have not escaped the imagination of tech savvy employees, who may use company laptops to mine Monero in the workplace. This may generate a few cents per day for the employee, but cost the company significantly more in terms of processing power. These costs are then reflected in increased energy bills and it can be difficult to identify the culprits. Employees may not have malicious intentions, but due to lack of education and understanding of the risks, their actions can have negative consequences for the business.
Education and blocking scripts are the best defence
The incentive for CoinHive to ensure that their scripts aren’t being used by malicious actors is unfortunately quite low, as they receive 30% of the mining profits regardless. As a means of safeguarding the practice, they have implemented ‘mandatory’ opt ins, (hosted by CoinHive rather than the website owner) without which the miner is unable to act. However, cyber criminals seem to have found methods to suppress or circumvent the opt-in, so compromised sites won’t necessarily prompt visitors to accept terms or make them aware. In addition, there are more surreptitious methods emerging every day, allowing ‘cryptojacking’ sites to evade user detection, such as hiding pop-up windows under task bars.
The only way to stay one step ahead of ‘cryptojacking’ is by implementing a comprehensive and multipronged approach which combines intelligent technology layered with employee education. Software can be used to block sites which run CoinHive scripts as well as any CoinHive copycats, such as the nearly identical Crypto-Loot service. In addition, web browser extensions can be used, such as Adblock Plus, where personalised filters can be used. For more advanced control, extensions like uMatrix will offer more flexibility over which scripts, iframes, and ads to block. However, technology itself isn’t a silver bullet and employees should be made aware of the ramifications of their actions and be discouraged from practicing cryptomining.
Cybercriminals are only becoming more innovative in their tactics and businesses cannot afford to be caught off guard by emerging threats that may lurk in their own internal environment. ‘Cryptojacking’ is beneficial to cybercriminals as it is both lucrative and covert and the effects are only recognised retrospectively. Intelligent monitoring and blocking of websites (without interfering with the user experience) coupled with education will ensure that companies remain vigilant against this type of emerging threat.