Why cybercriminals are turning to cryptojacking for easy money

The cryptocurrency market has seen an incredible amount of attention and hype over the last year, culminating with Bitcoin values soaring by more than 1,300 percent in 2017. Although the price has since tumbled and attitudes to crypto in general have calmed it is still seen as valuable venture amongst investors and consumers alike. Unsurprisingly, this interest extends to cyber criminals, who are always ready to sniff out potential new methods of making cash quickly and easily.

Mining cryptocurrency at any meaningful scale is a complex operation requiring a large amount of computer power, and the best way to achieve this is by leveraging a number of machine CPUs (or GPUs) to harvest cryptocurrencies such as Bitcoin and Monero. While this is perfectly legal with the user’s permission, criminals will use malware and web scripts to co-opt a user without their knowledge, an approach known as cryptojacking.

Most cryptojackers conduct their campaigns using Monero, as the currency is the most popular one to provide anonymity to its users and activities. This means criminal users are free to collect and spend their illicit earnings without scrutiny. Monero is also much easier to mine than Bitcoin and requires less work before criminals start seeing returns.

Contrary to popular belief however, mining is not an easy path to wealth. A website running a mining script is likely to make less than a dollar a day, so unless the criminal is satisfied with making enough money for a cup of coffee a week, they will need to think bigger. Enterprise networks are an ideal target, as they will allow the attacker to gain access to thousands of machines.

How cryptojackers operate

Cryptojacking can be achieved by inserting mining malware onto unwitting users’ PCs, mobile and Internet of Things devices, usually delivered through phishing emails or clicking on malvertising. However, this kind of mining has become somewhat rare as ransomware is generally a more profitable option for a malware-based attack.

Instead, most of the mining we observe comes in the form of compromised web pages. This tactic is incredibly easy and involves almost no skill, making it very attractive for criminals after additional revenue with little effort. All the would-be miner needs to do is insert a dozen or so lines of script into a web site’s code, and they are ready to begin.

Coinhive is one of the most popular choices for cybercriminals to exploit, as the JavaScript-based programmes are premade for them, easy to use and mine the anonymous Monero currency. The script is so prolific that it was found to be present in 13 of the Alexa top 1000 sites. Coinhive is also used by legitimate mining operations that have asked for the visitor’s consent but can very easily be slipped into a compromised web site’s code without the site’s owners or visitors being any the wiser.

The more users unwittingly running the script the faster it will generate currency, so sites with very high traffic are popular targets. As these scripts only work if the site remains open in the web browser, it is also preferable to target a site that users will stay on for extended periods. Streaming websites are a popular choice as the window will naturally be left open for hours at a time.

This also makes enterprise portals and home pages an ideal target, and perfectly suited for a watering hole attack where the attacker will seek to hit as many victims as possible through a single point they know the victims will visit regularly. Corporate sites, particularly those belonging to larger organisations, can net the miner several thousand visitors on a daily basis, many of which may leave the site open throughout the working day. Criminals will also employ other tactics to keep the script active, such as using “pop-unders”, which appear behind the active windows to escape notice.

Cryptojacking impact

Cryptojacking is generally regarded as a somewhat minor threat, and indeed is certainly less damaging than attacks such as ransomware, which can immediately cripple a business’s operations.

However, crypto-based attacks can have several negative consequences for an enterprise, and they should not be underestimated. The additional processing resources stolen by mining scripts can significantly slow down the performance of an enterprise network, including mission-critical operations. A severe-enough case could effectively cause a DDoS-type situation, overwhelming and disabling the network.

While the additional strain may cause a laptop or desktop device to grow somewhat warmer, there have been several reports of mobile devices heating up to such an extent that the device suffered physical damage. The huge number of smartphones in use means mobile devices are a good target for cryptojacking, and I anticipate this problem becoming more common in the near future. The combination of an infected corporate page and a workforce equipped with lower-end mobile devices could be a major problem.

Organizations may also see a financial hit from the additional IT resources used to troubleshoot crashes and computer slowdowns, not to mention the added charge to the company’s electric bill every month.

Further to the effects of the mining itself, having its website compromised with malicious mining script can be a serious reputational blow to an organisation. Such an obvious lapse in security is never good, and there have been several cases of customers mistakenly believing that organisations were carrying out cryptomining in secret.

Closing the crypto-mines

While the ongoing crypto-boom has made cryptojacking more notable, overall, organisations should treat these attacks like any other cyber threat. One of the most important steps is risk assessment, and organisations should be aware of how attractive their network is as a target and what the most likely avenues of attack are.

Website owners should undertake thorough server auditing to root out hidden mining scripts. By monitoring access and changes to their web code, they can quickly detect attempts to insert malicious code. Ensuring that security best practice is followed, particularly keeping patching up-to-date, will prevent the vast majority of attempts to tamper with web code.

Businesses can also take additional steps to ensure their workforce has not been shanghaied into illegal mining. Because its main impact is draining processing power, cryptomining is harder to spot than most malicious activity, but behavioural analytics can identify signs such as users calling on larger than normal amounts of processing power.

With some additional awareness and due diligence, organisations can protect their reputations and operational stability from being sacrificed to an illegal cryptomining operation.