The increasing threat of cryptocurrency miners [Part 1]

Cryptojacking, the practice of exploiting computer's processing power to mine cryptocurrencies without the owner's consent or knowledge, appears to be the new Eldorado for cybercriminals after its popularity exploded last autumn.

The idea of in-browser mining started in the early days of Bitcoin, in May 2011 to be precise, when an innovative service known as BitcoinPlus.com was launched. At that time mining Bitcoin was still cheap and easy. This service integration was very similar to the Coinhive one, currently the most popular library since its launch in September 2017; It consisted in a piece of javascript code that site owners would embed into their pages to make visitors mine for them, in exchange of a small percentage fee for using that service. As Bitcoin became more and more popular worldwide, it became harder and harder to mine for cryptocurrencies on home-grade hardware. With the arrival and democratization of ASIC chips in 2013, the era when you could mine Bitcoin on personal computers came to an end. Yet, with the introduction of alternative coins like Monero in 2014 (which purportedly offers increased privacy by obfuscating the participants in a transaction, as well as the amounts), the idea of mining on regular laptops and desktop computers was revived.

Fast forward to 2017, the cryptocurrency industry has changed drastically: the diversity of altcoins available (more than 1,000), the total market capitalization skyrocketed to more than $150 billion, and the revival of in-browser mining through services like Coinhive, JSEcoin, Cryptoloot and similar copycats have certainly provoked cybercriminal interest.

From the original idea of providing a monetization alternative to regular display ads for webmasters, to the usage we see today, we will review in this post a few examples of deceitful and malicious implementation that have been uncovered during the last few months:

Coinhive & co:

As mentioned above, one of the most popular tools among cryptojackers is a javascript library called Coinhive, that can start mining the cryptocurrency Monero when a webpage has loaded. Many websites, like The Pirate Bay for example, quickly incorporated it to generate additional revenue, but without asking users' permission. In December, AdGuard released a study were they exposed four of the most popular streaming and video-conversion websites (Openload, Streamango.com, Rapidvideo.com, OnlineVideoConverter.com). According to SimilarWeb, these four sites register 992 million visits monthly, which could generate monthly earnings of more than $320,000 and this without user consent or awareness.

Soon enough, hackers found ways to inject such scripts into high-traffic websites like Showtime, the LA Times, Polifact and even Youtube (by hijacking advertisements from the DoubleClick platform) and they started mining cryptocurrencies for themselves without the publishers' or  users'' knowledge or consent. Nevertheless, publishers were not the only ones getting hacked; at the end of October, an unknown hacker managed to hijack Coinhive's CloudFlare account which allowed him to modify its DNS servers and replace Coinhive's official JavaScript code embedded into thousands of websites with a malicious version.

WordPress:

It comes as no surprise, that WordPress websites would be among the platforms to become a victim of cryptojacking. According to security researcher Troy Mursch from Bad Packets Report, there were around 30,000 WordPress sites infected with cryptomining scripts in November 2017, this number has been steadily growing to reach more that 50,000 in March 2018. This figure includes WordPress websites, where mining scripts are quietly running in the background, for some the integration would have been done by the publisher himself, the rest are either compromised or have been hijacked by plugins, such as "Animated Weather Widget by weatherfor.us" that sneakily inject mining script to generate money by extorting users' computer resources, and this is, needless to say, without the publishers' knowledge.

Browser extensions:

Cryptojacking is not limited to websites, browser extensions have also been caught mining cryptocurrency on thousands of computers. For example "Archive Poster," a browser extension designed to help Tumblr users perform various tasks remained on the Chrome Web Store for days while silently cryptojacking an unknown portion of their 100,000+ users. After multiple user reports, followed by multiple media covering the issue, the extension was removed.

Public Wi-Fi:

In another example, which took place in December at a Buenos Aires Starbucks, a customer using the public wi-fi discovered that someone had manipulated the wi-fi system, delaying the connection in order to mine Monero with shoppers' devices. CoffeeMiner uses a man-in-the-middle (MITM) attack to hijack users connecting to wi-fi hotspots and injected mining code into all HTML pages requested by those users.

We'll cover in the second part of this blog post, some more cases describing how cryptojacking has quickly become a favorite revenue stream for cybercriminals.

AdSecure provides next-gen defenses that protect publishers and ad platforms against a wide range of attacks in real-time including cryptojacking. To test how AdSecure can help your organization detect, investigate, and respond to advanced malvertising attacks, sign up for a free trial.

Recommended Posts