Criminals are now using ransomware-like tactics and malicious websites to get to anyone’s computer to mine cryptocurrencies — this scheme is called cryptojacking.
Malicious cryptominers often come through web browser downloads or sketchy mobile apps. Cryptojacking can compromise all kinds of devices, including desktops, laptops, smartphones, and even network servers.
Like most other malicious attacks on the computing public, the motive is profit, but unlike many threats, it’s designed to stay completely hidden from users. The only signs they might notice is slower performance, lags in execution, overheating, excessive power consumption, or abnormally high cloud computing bills.
To understand the mechanics of the threat and how to protect yourself against it, continue reading the article below. .
Defining Cryptojacking
Cryptojacking is also referred to as malicious cryptomining, and it is a threat that embeds itself within a computer or mobile device and then uses its resources to mine cryptocurrency.
Essentially, cryptojacking gives the perpetrator free money — at the expense of your device and the overall health of your network. When ‘cryptojacks’ or hackers intrude on your device, they are capitalizing on the device’s computing ability to solve complicated math problems. The reward for solving these problems is cryptocurrency, which can be traded in an exchange for
other cryptocurrency or real-world money, often referred to as fiat currency.
As the crypto industry booms, so does cryptojacking. It has been in the news for quite some time, and with the growth of decentralized finance or DeFi, this crime has become more prevalent than ever. Even if cryptohackers do not plan to spend the cryptocurrency they “earn” using your device’s resources, they can simply put them in a liquidity pool or engage in lending and borrowing and earn more.
Cryptojacking was the third most prevalent cybersecurity threat in 2021, according to the annual report from the European Union Agency for Cybersecurity’s or ENISA. In the same year, Google’s Cybersecurity Action Team found that 86% of its observed compromised cloud platforms resulted from cryptojacking. In 2020, Cisco reported 69% of its customers were affected by cryptomining malware.
How does cryptojacking work?
Cryptojacking allows hackers to mine cryptocurrency without paying for electricity, hardware and other mining resources. Cybercriminals hack into the device to install a cryptojacking software that works in the background, mining for cryptocurrencies or stealing from cryptocurrency wallets. Victims are still able to use their devices but may experience slower performance or lags.
Hackers have two primary ways to get a victim’s device to secretly mine cryptocurrencies:
- By getting the victim to click on a malicious link from an email that loads cryptomining code on the computer.
- By infecting a website or online ad with JavaScript code that auto-executes once loaded in the victim’s browser.
To ensure a higher success rate, hackers often use both methods. In both cases, the code places the cryptojacking script onto the device, which runs in the background as the victim uses it. Whichever method is used, the script runs complex mathematical problems on the victims’ devices and sends the results to a server which the hacker controls.
Unlike other types of malware, cryptojacking scripts do not damage computers or victims’ data. However, they do steal computer processing resources. For individual users, slower computer performance might simply be an annoyance. But for businesses, cryptojacking is a great cause for concern because organizations with multiple cryptojacked systems incur heavy loss both monetary and business relationships. Electricity costs, IT labor costs, and missed opportunities are just some of the consequences when an organization is affected by cryptojacking.
Some cryptomining scripts have worming capabilities that allow them to infect other devices and servers on a network. This makes them harder to identify and remove. These scripts may also check to see if the device is already infected by competing cryptomining malware. If another cryptominer is detected, the script disables it.
Cryptojacking attacks
In early instances of drive-by cryptomining, web publishers caught up in the bitcoin craze sought to supplement their revenue and monetize their traffic by openly asking visitors’ permission to mine for cryptocurrencies while on their site. They posed it as a fair exchange: you get free content while they use your computer for mining. If you’re on, say, a gaming site, then you probably will stay on the page for some time while the JavaScript code mines for coins. Then when you quit the site, the cryptomining shuts down too and releases your computer. In theory, this isn’t so bad so long as the site is transparent and honest about what they’re doing, but it’s hard to be sure the sites are playing fair.
More malicious versions of drive-by cryptomining have been proliferating nowadays that they don’t even bother asking for permission and keep running long after you leave the initial site. This is a common technique for owners of dubious sites, or hackers that have compromised legitimate sites. Users have no idea that a site they visited has been using their computer to mine cryptocurrency. The code uses just enough system resources to remain unnoticed. Although the user thinks the visible browser windows are closed, a hidden one stays open. Usually it’s a pop-under which is sized to fit under the task bar or behind the clock.
Drive-by cryptomining can even infect Android mobile devices. It works with the same methods that target desktops. Some attacks occur through a Trojan hidden in a downloaded app. Or users’ phones can be redirected to an infected site that leaves a persistent pop-under. There’s even a Trojan out there that invades Android phones with an installer so nefarious that it can tax the processor to the point that the phone overheats, makes the battery bulge, and essentially leaves your Android for dead. So there’s that.
You might think, “Why use my phone and its relatively minor processing power?” But if these attacks happen simultaneously in hundreds or thousands of mobile devices, they add up to a collective strength worth the time and effort of cryptojackers.
How to detect cryptojacking?
Cryptojacking is designed to be as undetectable as possible. However, there are four important factors you should watch out for in your device, and these are:
- Poor performance is a common sign of cryptojacking. Devices affected may run slower than usual or crash at unusual moments due to strain on processing power from the extra workload.
- Overheating is a common result. Fans in infected devices run faster than usual, or batteries may overheat if a cryptojacking script is taxing the processor of an infected device. Overheating can damage a device or shorten its life span.
- High electricity costs are also a sign of an attack. The energy and processing power required for mining draws significant electricity.
- Central processing unit (CPU) usage spikes in response to cryptojacking. Victims with Windows can check their CPU use in Activity Monitor or Task Manager when visiting sites that run little or no media content. If users notice an odd spike, this may indicate a cryptojacking cyber attack. However, cryptojacking malware can be written to hide as legitimate processes and be hard to detect through this method.
How to avoid cryptojacking?
As it has evolved into a multi-vector attack that spans across endpoint, server, and cloud resources, preventing cryptojacking takes an orchestrated and well-rounded defense strategy. The following steps can help prevent cryptojacking from running rampant on enterprise resources.
- Employ strong endpoint protection. The foundation of that is using endpoint protection and anti-malware that’s capable of detecting cryptominers, as well as keeping web filters up to date and managing browser extension to minimize risk of browser-based scripts from executing. Organizations should ideally look for endpoint protection platforms that can extend out to servers and beyond.
- Patch and strengthen servers (and everything else). Cryptojackers tend to look for the lowest hanging fruit that they can quietly harvest — that includes scanning for publicly exposed servers containing older vulnerabilities. Basic server hardening that includes patching, turning off unused services, and limiting external footprints can go a long way toward minimizing the risk of server-based attacks.
- Use software composition analysis. Software composition analysis (SCA) tools provide better visibility into what components are being used within software to prevent supply chain attacks that leverage coin mining scripts.
- Hunt down cloud misconfigurations. One of the most impactful ways organizations can stop cryptojacking in the cloud is by tightening cloud and container configurations. That means finding cloud services exposed to the public internet without proper authentication, rooting out exposed API servers, and eliminating credentials and other secrets stored in developer environments and hardcoded into applications.
Final Thoughts
Cryptojacking might seem like a relatively harmless crime since the only thing ‘stolen’ is the power of the victim’s computer. But the use of computing power for this criminal purpose is done without the knowledge or consent of the victim, for the benefit of criminals who are illicitly creating currency. We recommend following good cybersecurity practices to minimize the risks and to install a trusted cybersecurity and/or internet security software on all of your devices.
