Posted on January 22, 2019 Published by

CryptoJacking – Give Me Your Computing Power

CryptoJacking or ‘drive-by mining’ is an attack vector that became prevalent amongst hackers due to the rise in crypto currencies. Even though the market is currently struggling there are now over 2,000 different types of crypto currencies (not all of these are mineable). It is, therefore, no surprise that hackers have become interested in the market as a lot of crypto currencies are almost impossible to trace as investors use anonymous wallets to hold their coins, this provides extra security and makes it harder to trace transactions.

Explained simply, crypto currency mining uses your computing power to provide a 24/7 bookkeeping service which is more commonly known as ‘verifying transactions’. Each transaction that is verified will reward the miner with a small fee for using their computing power.

The more computing power available, the more transactions can be verified, which will ultimately end in more money being made. However, computing power is expensive and also uses a lot of electricity which in turn ends up costing a miner a chunk of their profits, so how can an attacker make money and not have to pay any fee’s?

The answer is CryptoJacking, which involves embedding malware into popular sites that get thousands of visitors per day. The infected computers of those browsing the sites will silently mine crypto currencies against the user’s will and deposit the earnings into the attacker controlled, anonymous wallet. No costs for hardware, no costs for electricity and the malware can often go undetected for long periods of time.

How much electricity does crypto currency mining use?

Cryptocurrencies have come under a lot of scrutiny since becoming popular and one of the main problems is the amount of electricity it uses.

According to the Guardian in November 2017 Bitcoin mining used more electricity per year than Ireland. Bitcoin is the most popular cryptocurrency with the market dominance usually sitting at around 51%. If we take into account the other 49% of cryptocurrencies this would be a huge amount of electricity and your computer could be part of it.

How much money has been made?

In February 2018, shortly after CryptoJacking started becoming popular Coinhive made headlines as the most prevalent CryptoJacking software.The software was used to compromise an accessibility plugin called “BrowseAloud” which was known to be used by the English Student loans company, multiple English councils and the Information Commissioners Office. 

It was thought to be active on over 5,000 websites through BrowseAloud. If every single user from every single website became infected, that would be a lot of computing power.

Coinhive in an interview with the technology site Motherboard said that the entire campaign earned a total of 0.1 Monero which at the time was worth $245 per coin which means they earned less than $25 which Coinhive did not pay.

So, is this really a threat?

Well, firstly we need to have a look at the crypto market. Monero at the time of this this article being typed up (January 2019) was worth roughly $53 – nearly 1/5th of the price during the BrowseAloud attack. The Crypto market has taken some big hits over the last year and is becoming far less popular amongst consumers.

This campaign may have not paid out much but this was at the beginning of the CryptoJacking lifeline. Thanks to public WWW we can find out how many sites currently have the coinhive.min.js script embedded into them by using a simple search.

As of now, there are more than 11,000 websites using the coinhive script. Upon researching the infected sites, it is difficult not to notice that a large majority of the sites seem to be free movie streaming services, which is no surprise as these often host different types of malware.

Are all applications that use browser based crypto mining software bad?

Browser based crypto mining is believed by some as being an alternative to adverts. Instead of making revenue through spamming users with adverts an application could ask users to borrow computing power for the duration of the time they spend on the site.The theory of this would be great, imagine an advert free internet? 

However, I do not believe that anyone should allow an application to use computing power in this way. How would it be regulated? 

The BrowseAloud attacks happened in February 2018 which effected 5,000 sites. I wrote an article about CryptoJacking at the end of March 2018 and by then the speed had picked up and the coin.min.js script was on over 35,000 applications.

Meaning that in roughly a month coinhive increased from 5,000 to 35,000 sites. The number of sites infected by Coinhive is now much lower but the software has had a longer lifespan, how many different and more powerful versions have been made? 

Can we stop worrying about it now?

No. Even if it is unclear how much money is being made from CryptoJacking, it is still active.

In August 2018 technology site Bleeping Computer published an article claiming that the Coinhive script had compromised more than 200,000 MikroTik routers, 72,000 of them being compromised in Brazil during the first stage of the attack. The attackers are thought to have exploited a zero day in the WinBox component of the routers in April 2018 which was patched by MikroTik shortly after.

CryptoJacking should still be taken seriously. It can force your computer or server to use more processing power, in theory shortening its lifespan. It can also cost you money by raising your electricity bill.

How to protect against CryptoJacking?

CryptoJacking malware is difficult to protect against, as the affected computer does not show obvious signs of infection as the malware silently mines in the background. The first step is to use an extension that blocks the most common JavaScript miners such as minerBlock and No coin, as well as ensuring that you have a good, up-to-date anti-virus software installed on your computer. Using scriptsafe or NoScript JavaScript blockers is also a good defence against the malware as it disallows JavaScript to run on any pages, unless specifically allowed by the user.

%d bloggers like this: