What is Crypto-jacking?

Crypto-jacking is the unauthorized use of someone else's computer to mine cryptocurrency. Hackers do this by either getting the victim to click on a malicious link in an email that loads crypto-mining code on the computer or by infecting a website or online ad with JavaScript code that auto-executes once loaded in the victim's browser. Either way, the crypto mining code then works in the background as unsuspecting victims use their computers typically. The only sign they might notice is slower performance or lags in execution.

How Crypto-jacking Works

Hackers have two primary ways to get a victim's computer to secretly mine cryptocurrencies. One is to trick victims into loading crypto mining code onto their computers. This is done through phishing-like tactics: Victims receive a legitimate-looking email that encourages them to click on a link. The link runs code that places the crypto mining script on the computer. The script then runs in the background as the victim works.

The other method is to inject a script on a website or an ad that is delivered to multiple websites. Once victims visit the website or the infected ad pops up in their browsers, the script automatically executes. No code is stored on the victims' computers. Whichever method is used, the code runs complex mathematical problems on the victims' computers and sends the results to a server that the hacker controls.

Hackers often will use both methods to maximize their return. "Attacks use old malware tricks to deliver more reliable and persistent software [to the victims' computers] as a fallback," says Alex Vaystikh, CTO and cofounder of SecBI. For example, of 100 devices mining cryptocurrencies for a hacker, 10% might be generating income from code on the victims' machines, while 90% do so through their web browsers. Some crypto mining scripts have worming capabilities to infect other devices and servers on a network. It also makes them harder to find and remove; maintaining persistence on a network is in the crypto-jacker's best financial interest.

To increase their ability to spread across a network, crypto mining codes might include multiple versions to account for different architectures on the network. In one example described in an AT&T Alien Labs blog post, the crypto mining code downloads the implants for each architecture until one works. The scripts might also check if the device is already infected by competing crypto-mining malware, and if another crypto-miner is detected, the script disables it. As the AT&T Alien Lab post notes, a crypto-miner might also have a kill prevention mechanism that executes every few minutes, as the AT&T Alien Lab post notes.

Unlike most other types of malware, crypto-jacking scripts do no damage to computers or victims' data. They do steal CPU processing resources. For individual users, slower computer performance might be just an annoyance. Organizations with many crypto-jacked systems can incur significant costs in terms of help desk and IT time spent tracking down performance issues and replacing components or systems in the hope of solving the problem. 

Why Crypto-jacking is Popular

No one knows for sure how much cryptocurrency is mined through crypto-jacking, but there's no question that the practice is rampant. Browser-based crypto-jacking grew fast at first but seems to be tapering off, likely because of cryptocurrency volatility and the closing of Coinhive. This most popular JavaScript miner was also used for legitimate crypto mining activity in March 2019. The 2020 SonicWall Cyber Threat Report reveals that the volume of crypto-jacking attacks fell 78% in the second half of 2019 due to the Coinhive closure.

The decline began earlier, however. Positive Technology's Cybersecurity Threatscape Q1 2019 report shows that crypto-mining now accounts for only 7% of all attacks, down from 23% in early 2018. The report suggests that cybercriminals have shifted more to ransomware, which is seen as more profitable.

"Cryptomining is in its infancy. There's a lot of room for growth and evolution," says Marc Laliberte, threat analyst at network security solutions provider WatchGuard Technologies. In January 2018, researchers discovered the Smominru crypto mining botnet, which infected more than a half-million machines, mainly in Russia, India, and Taiwan. The botnet targeted Windows servers to mine Monero, and cybersecurity firm Proofpoint estimated that it had generated as much as $3.6 million in value as of the end of January. In addition, Crypto-jacking doesn't even require significant technical skills. According to the report, The New Gold Rush Cryptocurrencies Are the New Frontier of Fraud, from Digital Shadows, cryptojacking kits are available on the dark web for as little as $30.

The simple reason why crypto-jacking is becoming more popular with hackers is more money for less risk. "Hackers see crypto-jacking as a cheaper, more profitable alternative to ransomware," says Vaystikh. He explains that a hacker might get three people to pay for every 100 computers infected with ransomware. With crypto-jacking, all 100 infected machines work for the hacker to mine cryptocurrency. "[The hacker] might make the same as those three ransomware payments, but crypto mining continuously generates money," he says.

The risk of being caught and identified is much less than with ransomware. The crypto mining code runs surreptitiously and can go undetected for a long time. Once discovered, it's tough to trace back to the source, and the victims have little incentive to do so since nothing was stolen or encrypted. Hackers tend to prefer anonymous cryptocurrencies like Monero and Zcash over the more popular Bitcoin because it is harder to track the illegal activity back to them.

To learn more about crypto-jacking or other cybersecurity risks, reach out to your Pendello Solutions team today. As cybersecurity risks are evolving, so are our experience and tactics. Let us guide you through the process of becoming cybersecurity ready.