With cryptocurrencies struggling to recover from last year’s crash, and new energy-use taxes on the horizon, cryptomining isn’t exactly the profit center it once was, but for unscrupulous individuals, there’s still an easy way to make money mining cryptocurrencies: cryptojacking.
Cryptojacking is the illegal practice of using a computer or mobile device to mine cryptocurrencies without the user’s knowledge or permission. Since the overhead for cryptojacking is lower than that of traditional mining, it has become an increasingly popular tactic among cybercriminals. In this article, we’ll delve into the world of cryptojacking, exploring what it is, how it works, and what steps you can take to protect yourself and your website from clickjacking in 2023.
Table of Contents
What is cryptojacking?
As noted above, Cryptojacking is a cybercrime in which a hacker hijacks someone else’s computer or device to mine cryptocurrencies. The cryptomining process requires significant computational resources, such as CPU or GPU power, to solve complex mathematical problems and validate transactions on the blockchain network. By cryptojacking unsuspecting users’ devices, malicious actors can exploit their computing resources to mine cryptocurrencies, typically currencies like Bitcoin or Monero.
Cryptojacking can be carried out in a number of ways–hackers may attempt to completely hijack a device via malware or may attempt to carry out a distributed cryptojacking attack in which thousands of devices handle small portions of the mining load on the client side. This method typically involves injecting malicious javascript into websites or web applications so that users accessing those websites will have a small portion of their devices’ processing power hijacked for cryptomining.
Given the prolific number of vulnerabilities being discovered and exploited, now is a good time to come up to speed on how hackers can profit through cryptojacking. Exploits like Log4jcan be used to infect websites with profitable malicious code, not just Magecart. We have seen home routers, corporate servers, and even compromised AWS credentials being used to earn cryptocurrency through mining.
With cryptojacking, this is possible by simply including some malicious javascript into your website’s source code. Only users who notice their computer running non-stop would know it was even present.
How does cryptojacking work?
Cryptojacking works by stealing other people’s processing power and using it to mine cryptocurrencies. This is usually achieved with javascript running behind the scenes on websites, but it’s also possible to hijack machines and servers to run full-blown cryptocurrency mining software, which could be installed either by malware or by rogue employees.
It’s a bit like someone else borrowing your car to drive deliveries and earn money behind your back, using up your gas and leaving you with added wear and tear on your vehicle in the process.
11.3% of inbound traffic is fake or fraudulent. Download our FreeState of Fake Traffic 2023report to learn more.
Breaking Down a JavaScript Crytomining Attack
The image above succinctly describes the process of a client-side cryptojacking attack, but to better understand this process, let’s take a closer look at the steps in the attack. For a more detailed breakdown of common cybersecurity attack techniques (and how to mitigate them), check out our recent blogs on Cyberattacks and the OSI model.
Step One: Finding an Injection Point
For starters, would-be attackers need to identify a target. To do this, hackers may employ automated scanning tools, such as vulnerability scanners or web application scanners, to quickly scan a large number of websites for common security issues like outdated software versions, misconfigurations, or known vulnerabilities in web applications. They may also target specific web application frameworks or popular plugins in a supply chain attack.
Step Two: Creating Malicious Code
Once a target has been selected, the attacker crafts a piece of JavaScript code specifically designed for cryptocurrency mining. This may sound complex, but the barrier to entry is actually shockingly low.
Simply signing up for a mining pool and pasting a couple of lines of code into the source of a website is all it takes for an attacker to set up a shop.
Cryptojacker’s code typically uses libraries or frameworks which provide out-of-the-box mining functionality. These tools provide a pre-written JavaScript code snippet that typically contains the necessary mining algorithms, communication protocols with mining pools, and configurations for mining parameters.
And hackers aren’t limited when choosing how they are going to inject a miner into your website. In the course of our research, we found thousands of live samples, including cryptoloot, coinimp, jsecoin, crypto-webminer, cryptonoter, monerominer, deepminer, and coin-have.
The code used by the mining operations is top-notch. It’s designed using the latest technology to get the most out of a computer CPU. Hackers implement web assembly, a portable binary code in javascript capable of utilizing low-level languages such as C, so miners are able to get the most from the CPU of website users. This not only gives them the best access to the victim’s CPU for computation but has the added benefit of being really hard to detect by reading the source code of a website. In the industry, we refer to this technique as obfuscation.
Step Three: Code Injection
Next, the attacker injects the malicious JavaScript code into the target website or web application. There are various methods for injection, including exploiting vulnerabilities like Cross-Site Scripting (XSS) or directly modifying the website’s source code.
Step Four: Execution and Mining
Now, when a user visits the compromised website, their browser loads the web page and executes the injected JavaScript code automatically. The code runs in the background, leveraging the user’s device’s processing power. The mining script collaborates with other miners in a mining pool or operates independently.
It continuously solves cryptographic puzzles or algorithms to validate and confirm transactions on the cryptocurrency network. Once a miner successfully solves a puzzle, they create a new block and receive a reward in the form of cryptocurrency.
As the mining process progresses, the victim’s device experiences increased CPU or GPU usage, causing the system to work harder and generate additional heat. This can lead to device slowdowns, reduced battery life, and potential hardware damage in extreme cases.
While researching Cryptojacking, our laptops heated up, and fans kicked on. Cryptojacking not only degrades the performance of users’ computers but shortens the life of their computer’s components. For site owners, cryptojacking degrades page performance as well as user experience, ultimately driving visitors away from your site.
Step Five: Concealment and Persistence
To avoid detection, the attacker may use techniques like code obfuscation or periodically change the location of the injected script.
How prolific is cryptojacking?
In our research, we saw compromised websites as low as personal blogs up to top Alexa-ranked websites being affected by Cryptojacking. No single vulnerability is being exploited to compromise these websites but we are seeing an uptick in mining operations online.
Historically, cryptojackers either leveraged JavaScript-based cryptojacking services, such as Coinhive, which gained attention in 2017, or relied on compromised plugins or malicious browser extensions to deliver malicious JavaScript.
One notable example is the faceXworm attack, which used social engineering techniques to trick users into downloading and installing a malicious browser extension, which gained access to the victim’s Facebook account and sent malicious messages to the victim’s friends, further spreading the infection.
The extension injected malicious JavaScript code into Facebook pages, enabling it to hijack the victim’s browsing sessions. It targeted cryptocurrency-related pages, such as those providing information about ICOs (Initial Coin Offerings), and injected cryptojacking scripts to mine Monero cryptocurrency using the victim’s device resources.
Following the cryptocurrency crash of November 2022 and subsequent lowered cryptocurrency values, some attackers have turned to new techniques that target valuable cloud and server resources for cryptomining. Some attackers have begun exploiting free trials on some of the largest continuous integration and deployment (CI/CD) services to deploy code and create distributed mining platforms, while others are targeting misconfigured Kubernetes and Docker instances to gain access to the host systems and run cryptomining software.
Other attackers have turned to targeting server-side resources. ProxyShellMiner, for example, exploits three vulnerabilities in Microsoft Exchange servers to install a Monero miner on compromised machines.
What can you do to prevent cryptojacking?
So, what can you do about cryptojacking? The first step is to know the signs. Then, as you may guess, there are two different ways of mitigating its effects: detection and defense. Detecting cryptojacking isn’t always easy, but defense is even trickier.
Cryptojacking Detection
The first thing to consider is whether or not your website is being cryptojacked. Here are some things to check:
- Are you getting HTTP requests for Bitcoin and Monero transactions on your site?
- Are you getting suspicious JavaScript errors when accessing your site?
- Does your computer heat up and run the fan when you access your website?
If you’re concerned about cryptojacking on your business network, you could also use a network monitoring tool to look for unusual resource usage.
No matter how it’s done, mining cryptocurrency is a massive resource hog, which gives some telltale signs, such as abnormally high CPU or GPU usage. Especially in off-business hours when machines should be less active. A simple way to look for abnormal use would be to set up alerts for when CPU usage exceeds a certain threshold in off-hours or on machines that don’t typically perform CPU-intensive tasks.
Defense
From the user’s perspective, the most obvious defense against cryptojacking would be to block javascript from running on their browser, but this could make for a pretty poor internet experience. However, there are plenty of browser plugins, such as No Coin and MinerBlock, that can help the user block known cryptojacking scripts.
For a site owner, things are a bit more difficult. In order to definitively prevent cryptojacking on your website, you need full visibility into the code running on your website, as well as any third-party connectors and plugins, and the ability to unilaterally block unwanted code.
A client-side security platform will let you perform frequent audits of your website’s javascript content and security and will help you block unknown scripts from ever running on the client-side, thus blocking injection-based attacks like formjacking, payment card skimming, and, yes, cryptojacking.
