Cryptojacking a new look
By |Published On: April 6th, 2021|8 min read|Categories: Cybersecurity|

An old threat is resurging, and data suggests we’ve only seen the tip of the iceberg.

With a significant increase in value of cryptocurrencies over the past year, 2021 is on pace to exceed 2018 as the “year of cryptojacking”. Cryptojacking experts are seeing steady upward momentum every year, along with new threats and risks.

Quick Recap: What is Cryptojacking?

Cryptojacking is an innovative exploit that comes from the complex, exciting world of cryptocurrency finance. Cryptocurrencies like Bitcoin and Ethereum are digital, tradable assets stored on decentralized ledger software. This software uses blockchain technology to record and verify transactions while conveniently bypassing the need for a central authority (like a bank) to weigh in.

Creating new coins involves using computing resources to create new blocks in the chain, or “mining”. This power-intensive work requires formidable hardware, which can cost thousands of dollars. The most successful miners have sophisticated purpose-built systems producing new coins non-stop.

Unsurprisingly, there are enterprising cryptocurrency enthusiasts who want to bypass the expense of buying and configuring their own mining rigs. Instead, they use malware to compromise other peoples’ systems and get them to mine cryptocurrency for free – the definition of cryptojacking.

It wasn’t until 2018 that cryptojacking started to attract mainstream attention. When the cryptocurrency markets faltered in 2019, cryptojacking reports dropped by 40%. Since 2020 onwards, reports have largely gone under the radar, even as they grow in size and significance.

How Cybercriminals Execute Cryptojacking Attacks Today

Since cryptojacking remains chronically underreported, it’s impossible to tell which methods and exploits are the most popular. However, we can glean some incredibly useful insight from a now-defunct browser-based cryptojacking vendor called Coinhive.

In 2018, Coinhive was practically synonymous with cryptojacking. It defined many of the practices characteristics that distinguish cryptojacking attacks today.

At its height, Coinhive was making $250,000 per month through its cryptojacking-as-a-service business model. Cybersecurity expert Troy Hunt now owns the defunct website, which still sees more than 3 million requests per day. All of the websites Coinhive originally exploited are still exploited – a fact Hunt demonstrates by forcing them to run cryptojacking warning pop-ups.

Coinhive’s original owners managed to do this by inserting malicious JavaScript onto their victim’s websites. More accurately, they tricked website owners into embedding malicious scripts. This is a classic example of a client-side attack, where an authorized user accidentally embeds a compromised script into their website.

There is also a significant number of exploited hardware routers trying to run Coinhive scripts. Exploiting a router is not as difficult as it sounds, and the potential reward is more than 30 times greater than exploiting websites. A compromised router can attach cryptojacking scripts to every single request it processes, victimizing millions of users whenever they visit a non-secured website.

JavaScript vulnerabilities are still among the most frequent security compliance violations that enterprises face. A Tala Security report found that 92% of Alexa top 1000 websites provide attackers with sensitive data. It found that 58% of content displayed on customer web browsers comes from third-party JavaScript integrations – the exact types of scripts that CoinHive’s original owners used.

These kinds of exploits are among the most common found today. With client-side attacks on the rise, cryptojacking exploits are sure to follow.

Is Cryptojacking Really a Danger?

Cryptojacking often goes unnoticed and unreported. Unlike other kinds of cyberattacks, it does not directly damage victims’ hardware or software. Casual users may even consider it a “victimless crime”.

The Coinhive case shows just one of the ways cryptojacking can lead to serious damage and data loss. Since the profitability of cryptojacking is tied to the profitability of cryptocurrency markets, it’s all too easy for cryptojacking specialists to change their tactics during market downturns.

It’s uncommon for modern cryptojacking software to focus exclusively on mining cryptocurrency. At the very least, it will also disable your antivirus and open up some of your secured ports in order to communicate with its command and control infrastructure.

The question more people should be asking is: Why stop there? Nothing stops cryptojacking software from also performing data exfiltration, keylogging, or credit card skimming.

It’s not just the cryptocurrency markets that favor this approach. Cryptojacking is an excellent diversion for sophisticated, multi-pronged cyberattacks. Microsoft researchers have identified blatant Monero cryptojacking attacks on top of deeper, harder-to-find credential theft attacks all coming from the same group.

Cybercriminals now have an easy, profit-generating tool for probing their victim’s defenses. They realized that if a cryptojacking attack goes unnoticed, more extensive exploits surely will too. If they don’t, at least there is a small profit to be made nonetheless.

Why is Cryptojacking Becoming a Problem Now?

Since cryptojacking makes money by exploiting devices to mine cryptocurrency, its profitability is tied to the overall market. As cryptocurrencies become more valuable, cryptojacking becomes more profitable.

As Bitcoin reaches ever-higher values, it stands to reason that more and more opportunistic cybercriminals will try to cash in. But Bitcoin isn’t the only cryptocurrency gaining in value, and it isn’t the one that cryptojacking hackers prefer.

That award goes to Monero, a far more secure, privacy-oriented cryptocurrency whose developers claim is “untraceable”. It is far better-suited to cryptojacking than Bitcoin, and offers far greater rewards. Coinhive operated using Monero, and many of today’s copycat scripts work in fundamentally the same way.

The widespread use of third-party JavaScript is making it easier for cybercriminals to infiltrate websites with client-side attacks. It’s a particularly effective exploit for non-technical website owners who simply copy and paste snippets of code into editors to obtain new website functionalities.

Analysts have found cryptojacking scripts in browser extensions, customer support widgets, and even live chat applications. Any browser-based service that relies on JavaScript is a potential target.

The ability for cryptojacking software to form a diversion against larger, more sophisticated attacks is changing the threat landscape. Cryptojacking is now less about making money (although it still does), and more about performing lightweight reconnaissance on potential victims.

How to Prevent Cryptojacking

JavaScript is fundamental to many modern website functionalities. You can’t simply disable it without seriously damaging the user experience. It may not be possible to comprehensively verify every single third-party script your website relies on. What you can do is analyze the way these scripts’ behaviors and prevent them from doing things outside their stated purpose.

Data exfiltration is critical to cybersecurity efficiency. By monitoring the connections to command and control servers, the Dark Web and other unauthorized servers, cryptojackers can be easily identified and attacks can be prevented before they even happen.

BlackFog is an on-device data privacy and security solution that prevents cryptojacking and data exfiltration using behavioral analysis. Talk to one of our experts to find out how we can help you protect your website from sophisticated cryptojacking threats.

Share This Story, Choose Your Platform!

Related Posts