What is cryptojacking?
Cryptojacking is a malicious activity, in which an infected device is used to secretly mine for cryptocurrencies. In order to do so, the attacker makes use of the victims’ processing power and bandwidth (in most cases this is done without their awareness or consent). Generally, the cryptomining malware responsible for such malicious activities are designed to use just enough system resources to remain unnoticed as long as possible. As cryptocurrency mining requires lots of processing power, attackers try and break into multiple devices. In this way, they are able to gather enough computational resources to perform low-risk and low-cost mining activity.
Earlier versions of mining malware were dependent on the victims to click on malicious links or email attachments, accidentally infecting their system with a hidden crypto-miner. However, more sophisticated types of these malware have been developed in the last couple years, taking the cryptojacking approach to a whole new level. Currently, the majority of mining malware is running through scripts that are implemented into websites. This approach is known as web-based cryptojacking.
Web-based cryptojacking (aka. drive-by cryptomining) is the most common form of cryptomining malware. Typically, this malicious activity is executed through scripts that are running within a website, allowing the victim’s browser to automatically mine for cryptocurrencies during the length of the visit. Such web-based miners are being secretly implemented in a wide variety of websites, regardless of popularity or category. In most cases, Monero is the cryptocurrency of choice as its mining process does not require huge amounts of resources and processing power like Bitcoin mining does. In addition, Monero provides increased levels of privacy and anonymity, making transactions much harder to be tracked down.
Unlike Ransomware, cryptomining malware rarely compromise the computer and the data stored in it. The most noticeable effect of cryptojacking is the reduced CPU performance (usually accompanied by an increase in fan noise). However, for businesses and larger organizations, the reduced CPU performance may hamper their work, potentially resulting in considerable losses and missed opportunities.
CoinHive is compatible with all major browsers and is relatively easy to deploy. The creators keep 30% of all cryptocurrencies mined through their code. It makes use of cryptographic keys in order to identify which user account should receive the other 70%.
Despite being initially presented as an interesting tool, CoinHive received lots of criticism due to the fact that it is now being used by cybercriminals to maliciously inject the miner into several hacked websites (without the owner’s knowledge or permission).
Unsurprisingly, the AuthedMine is not being adopted at the same scale as CoinHive. A quick search on PublicWWW shows that at least 14,900 websites are running CoinHive (of which 5,700 are WordPress websites). On the other hand, AuthedMine was implemented by roughly 1,250 pages.
During the first half of 2018, CoinHive became the top malware threat tracked by antivirus programs and cybersecurity companies. However, recent reports indicate that cryptojacking is no longer the most prevalent threat as the first and second positions are now taken by Banking Trojans and Ransomware attacks.
The quick rise and fall of cryptojacking may be related to the work of cybersecurity companies, as many cryptojacking codes are now blacklisted and quickly detected by most antivirus software. Moreover, recent analyses suggest that web-based cryptojacking is not as profitable as it seems.
In December 2017, the CoinHive code was silently implemented into the WiFi network of multiple Starbucks stores in Buenos Aires, as reported by a client. The script was mining Monero through the processing power of any device that was connected to it.
CoinHive into the Starbucks WiFi network
In early 2018, the CoinHive miner was found to be running on YouTube Ads through Google’s DoubleClick platform.
CoinHive running through YouTube Ads
During July and August 2018, a cryptojacking attack infected over 200,000 MikroTik routers in Brazil, injecting CoinHive code in a massive amount of web traffic.
CoinHive code in MikroTik routers
How to detect and prevent cryptojacking attacks?
If you suspect that your CPU is being used more than normal and its cooling fans are making noise for no apparent reason, chances are your device is being used for cryptomining. It is important to find out if your computer is infected or if the cryptojacking is being performed by your browser. While web-based cryptojacking is relatively easy to discover and stop, the mining malware that target computer systems and networks are not always easy to detect, since these are usually designed to be hidden or masked as something legitimate.
There are browser extensions that are able to effectively prevent most web-based cryptojacking attacks. Besides being limited to web-based miners, these countermeasures are usually based on a static blacklist, which may quickly become outdated as new cryptojacking approaches are deployed. Therefore, it is also recommended to keep your operating system up to date, along with an updated antivirus software.
When it comes to businesses and larger organizations, it is important to inform and educate the employees about cryptojacking and phishing techniques, such as fraudulent emails and spoofing websites.
- Pay attention to your device performance and CPU activity;
- Install web browsers extensions, such as MinerBlock, NoCoin and Adblocker;
- Be cautious with email attachments and links.
- Install a trustworthy antivirus and keep your software applications and operating system up to date;
- For businesses: teach your employees about cryptojacking and phishing techniques.
 PublicWWW is a search engine that tracks the entire source code of websites.
 For Windows users: you can easily check the performance of your device on the Task Manager window (Ctrl+Shift+Esc to open).