Cryptojacking Is a New and Dangerous Cyber-Threat

Like a good ninja, a cryptojacker can attack without your ever realizing he's there.

It seems that every day, the world and some bad people in it think of new ways to gain resources that do not belong to them. Theft, in general, is as old as humanity — but as we move toward the 22nd century, technology is gaining steam, and there are more ways than ever before for thieves to steal your currency.


Using the word "currency" rather than "money" draws an important distinction, since toilet paper is worth as much as the U.S. dollar, given the right conditions. Money has many forms, however, and stealing paper dollars is just one means of illicitly acquiring wealth. Online theft also has many forms, and now there's a new form of web-based thievery that targets a new form of web-based currency.


Cryptojacking is a relatively new means of theft. How does it work? Cryptojacking is the secret use of "borrowed" computing devices to mine cryptocurrency. Any cryptocurrency can be acquired this way, and the worst news is that the owner of a "jacked" device might never know what's being done.


It used to be that a program had to actually be installed on a targeted computer in order for a hacker to seize control of it. The most sophisticated cryptojacking attacks, however, work in-browser, without needing any programs installed to take control of the resources of the targeted PC. If surfing the web in seach of (whatever) connects you to an infected site, your device could be compromised.


Cryptojacking steals cryptocurrency straight up, but it also uses power and system resources from a jacked PC or data center, and you are paying for those. A large- or ever moderate-scale hack of business machines, or worse yet an infection of corporate web properties, if exposed, could further damage a company's brand and reputation. These is no telling what type of impact or costs that could have on the future health of the attacked company.


What Cryptojacking Is


In-browser cryptojacking attacks work off of Javascript on a simple webpage. A couple of years back, the website of cybersecurity association EC-Council was hacked using the same tech. More and more people, however, consider that any cryptomining activities which are not intentional should be considered cryptojacking. Also, to clarify, there are generally two methods of cryptojacking: browser-based and server-based.


JavaScript runs every single time on just about every website you visit, so the JavaScript code responsible for in-browser mining does not need to be installed. It is browser agnostic and will execute without your knowing what has happened. You simply load the page, and the in-browser mining code executes.


The hacker doesn't need you to install anything, or click anywhere to opt-in. There are none of the usual "You won the lottery" or "Click here to fix your computer" gimmicks. Much of the reason cryptojacking is so popular is that it's a highly efficient way for thieves to get their hands on crypto-currency and involves very little risk of discovery and exposure.


It's a cheaper and more profitable alternative to other attacks such as ransomware, where a thief prevents access to your files, and then you pay them a certain amount to regain access. Even though most experts currently advise ransomware victims to simply pay up, accepting payment leaves a trail that can potentially be followed.


Why Thieves Prefer It


With Cryptojacking, there is simply no trace. Close to 100 percent of cryptojacking-infected machines can be used to mine cryptocurrency, which has real-world value. A thief can trade bitcoin for American dollars with little risk of being identified. And an effective cryptojacking attack runs secretly and can go undetected for a considerable length of time.


Even if a user discovers the malicious code that runs a cryptojacking operation, it is extremely difficult to trace cryptojacking back to the source of the attack. Expert may find a trail but rarely do such trails lead to anything.


Cryptojacking also causes very little collateral damage. Unlike other attacks, which may result in loss or corruption of data, or even do damage to physical resources, cryptojacking does not result in destruction of property. This can sometimes lessen the motivation to find and prosecute attackers, meaning that cryptojacking is sometimes seen as a low-priority crime for law enforcement officials.


How It Works


Data centers can be a vulnerable point of attack for cryptojackers.

If executing the the in-browser method, the cryptojacker injects lines of JavaScript into a website or online ad. When you visit an infected site, the script auto executes and uses your system resources to mine cryptocurrency (which involves solving complex mathematical equations).


It's important to note that browser-based cryptojacking is browser agnostic, meaning that you could be attacked whether using Chrome, Firefox, Edge, or any other browser.


Let's start by looking at a typical in-browser cryptojacking attack called Coinhive. Coinhive is a JavaScript library launched in 2017. Coinhive mines a cryptocurrency called Monero (XMR). The algorithm used to calculate the hashes, called Cryptonight, was designed to run well on consumer CPUs.


That is to say that it will run fine on a consumer PC. One miner, using one machine, is not going to get rich. A miner who controls a whole array of PCs, on the other hand, can amass a small fortune relatively quickly.


In that sense, cryptojacking is quite similar to bot farming. The key difference is that computers can typically only be linked into a botnet after certain software has been installed. In a cryptojacking attack, the attacked is simply executing code. This would be amazing tech if it were not being used to steal.


A compromised website can use client computers to mine any cryptocurrency. The money mined by the browser-based scripts is credited from Coinhive to the website's owner or administrator, which raises an important point: While infected sites will serve the purpose, it's also possible for a hacker to build his or her own site, stock it with "sticky" (and often stolen) content, and simply execute a cryptojacking attack against anyone who happens to land there.


Using Coinhive, an individual can get the number of hashes solved for a user account, withdraw hashes, verify tokens and programmatically create short links. Unlike popular miners, Coinhive does not provide any specific information about the account owner because of the privacy terms.


Who Is at Risk?


Individuals and organization at risk range from anyone who browses questionable web sites to data center owners. A data center, with its densely packed computer power can provide a thief with enough raw computing power and bandwidth that they will be rich if not discovered.


Because there are no real solutions for in-browser cryptojacking, detection and prevention of cryptojacking in the data center has become the main challenge for security vendors. Tesla and Amazon were victimized by attacks on their Kubernetes console. By the time they discovered the attack, the cryptojacker had moved into their entire S3 environment. What this shows you is that anyone can be affected, and the attacks get more and more stealthy while the targets get more and more dispersed.


For detection of this type of attack, a company can install a very large-scale virus protection and prevention system, set up in-browser protection, and have a team understand how to see these attacks. Just with this explanation, we can see that in-browser cryptojacking is simpler and therefore prevention is relatively easier.


There are already free browser plugin extensions available, such as nocoin or coinblock, which can block cryptojacking on endpoints. These tools can help protect against in-browser cryptojacking. You can also install Malwarebytes, or any other system that works, into your browser.


No matter what you choose to use protect your devices or your datacenter, the main component in any recipe for success is people. User training and user security "hygiene" are the most important factors.


Educating users about cybersecurity best practices is the very best step toward helping them recognize when they have been affected and how their machine or website responds to attacks. Education can also help to underline where not to wander on the web. Make your users smarter and, in general, you will see fewer problems.


Cryptojacking is diabolically efficient and can be lucrative for the thieves who employ it. For any Information Technology security professional engaged in battling the growing onslaught of new attacks, this is one that you will need to become well versed in.


Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author
Nathan Kimpel is a seasoned information technology and operations executive.

Nathan Kimpel is a seasoned information technology and operations executive with a diverse background in all areas of company functionality, and a keen focus on all aspects of IT operations and security. Over his 20 years in the industry, he has held every job in IT and currently serves as a Project Manager in the St. Louis (Missouri) area, overseeing 50-plus projects. He has years of success driving multi-million dollar improvements in technology, products and teams. His wide range of skills include finance, ERP and CRM systems. Certifications include PMP, CISSP, CEH, ITIL and Microsoft.