Computing Applications

Hijacking the CryptoMine

Cryptojacking occurs when hackers hijack computing power for the unauthorized purpose of mining cryptocurrencies.

The gold rush in cryptocurrencies has led to a shift in the tactics used by cybercriminals.

According to cybersecurity provider Symantec, the profitability of ransomware, malware that locks users out of their system unless/until a ransom is paid, dropped in 2017 (Symantec reported the average ransom demanded in ransomware attacks was $1,017 in 2016, a 266% rise from 2015; in 2017, the average ransom declined to $522). As a result, many cybercriminals have shifted their attacks from ransomware to using coin miners, software designed to mine cryptocurrencies, in order to capitalize on the soaring values of digital currencies.

The process of hackers infecting the computing devices of others in order to amass the massive amounts of computer processing power needed to mine cryptocurrencies is called cryptojacking. At its essence, cryptojacking is when hackers hijack computing power for the unauthorized purpose of mining cryptocurrencies.

Symantec recently quantified the explosive growth in the use of cryptojacking in its Internet Security Threat Report, in which it reported the detection of coin miners on endpoint computers increased 8,500% in 2017.

Kevin Haley, director of Security Response at Symantec, says the astronomical growth in cryptojacking will not be sustained. "It comes from almost zero attacks in 2016, so we shouldn't expect it to continue in the thousands of percentiles," Haley says. Even so, Haley says he expects growth in cryptojacking will continue to be significant, because it is proving to be easy money for attackers, so more nefarious actors will get into it. Haley adds that those who are not good at cryptojacking will not make enough money to satisfy themselves and will leave, while those who find they are skilled at the process will continue to use it, and to refine their tactics.

Cryptojacking is a low-risk/high-reward proposition for hackers. The risk of being caught is minimal, and even if it is discovered, cryptojacking is difficult to trace back to its source because of the anonymity of the cryptocurrencies being mined. Additionally, cryptojacking scripts do not do any damage to computers or data, and nothing is stolen (except processing power), so there is little incentive to follow up when an attack is discovered.

How it's done

One of the most common methods of cryptojacking involves executing a Javascript in a browser, which then steals resources from the users' CPU. This computing power is pooled with that of other cryptojacked devices in order to mine cryptocurrencies at scale.

Browser-based cryptojacking has been growing fast, and the practice is now rampant. It doesn't require a download, it starts instantly, and it works efficiently and surreptitiously in the background; usually, until the browser session is closed. Sometimes hackers will launch a stealth "pop-under" window or 1-pixel browser that is difficult to detect, in order to continue illicitly accessing a device's processing power. Overall, no significant technical skills are required, and only a few lines of code are needed; cryptojacking has a low barrier to entry.

Victims might remain unaware they have been cryptojacked. The effects of coin mining are mostly performance-related, and include lags in computers' execution of commands, slower performance, and overheating.

Protecting against being cryptojacked is getting easier, as most antivirus software and ad blockers can now detect coin-mining software. Browser extensions like No Coin or minerBlock can be installed to stave off such software, and Javascript blockers such as NoScript can be used to defeat cryptojacking as well.

The most common program used by hackers to cryptojack computers is code from a cryptocurrency mining service called Coinhive, which offers a JavaScript miner that executes in a browser and then accesses the processing power of any PC, laptop, tablet, or smartphone visiting a site on which it has been installed. Coinhive is specifically written to mine Monero, a cryptocurrency designed to be private, stealthy, and untraceable. Since Monero cannot be traced to a particular user or a real-world identity, it is especially appealing to cybercriminals.

"Cryptojacking largely involves Monero, which is more anonymous than Bitcoin," says Sean Sullivan, Security Advisor at Helsinki, Finland-based cybersecurity firm F-Secure. According to Sullivan, Monero is designed to be mined by the CPUs on standard PCs, while mining Bitcoin requires the use of special high-end CPUs; it is totally inefficient to mine Bitcoin on a typical PC, he said.

Legal cryptojacking?

Legitimate uses of the concepts and methods behind cryptojacking are beginning to appear online. For instance, digital media outlet Salon started a beta test early this year, using Coinhive to mine Monero as an alternative to online advertising as a revenue stream. Specifically, if a visitor has an ad blocker turned on when visiting, they might see a prompt to either disable the ad blocker or a "suppress ads" option. The latter choice will allow Salon to put readers' unused computing power to use mining Monero while they are visiting the site.

Salon Media Group COO Ryan Nathan says the experience has been very insightful, but the overall reception has been mixed.  "The ad industry and fellow publishers have generally shown us support in trying out new innovative methods to monetize without ads," Nathanson says. He adds that Salon visitors who are already familiar with crypto and do not want to see ads generally opt in to mining during their browsing session, but those unfamiliar with crypto naturally tend to remain uncomfortable with the idea and do not opt in.

"This goes back to the educational hurdle the crypto industry as a whole needs to solve," Nathanson says. "We are learning that the crypto industry has a very large hurdle to overcome with the general public." The challenge, he says, is to educate and legitimize cryptomining, which at the moment is associated with criminal and unsavory uses that are depicted negatively by mainstream news outlets.

When Salon launched this project, the goal was to learn a few key things, Nathanson maintains, such as gauging the public's appetite for a different value exchange, obtaining a deeper understanding about the use of ad blockers, and determining whether blockchain/crypto technology has a place in the ad industry.  Salon's intent, he says, was not to immediately replace ad-based revenue.

Nathanson acknowledges Salon is working on other crypto and blockchain beta projects focused on digital ad-industry related issues, such as domain spoofing and ad delivery discrepancies. 

"It's an interesting experiment to supplement a revenue stream from advertising, because Salon is the first to do things in the way that Coinhive hoped it would be done," observes F-Secure's Sullivan. He feels Salon is relying on the fact that the cryptocurrency markets are going to be around next year, the year after that, and so on, in the same way they are there today.

"It seems like a shaky foundation," Sullivan concludes.

John Delaney is a freelance writer based in Manhattan, NY, USA.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More