Cryptojacking is the malicious use of a victim’s computer to mine cryptocurrency, and is a growing problem for both individual users and companies. If you’ve never heard of it before, that’s likely because - up until recently -cryptojacking was a fairly niche concern. But there’s been a rise in the practice during recent years.
Cryptojacking works in a fairly simple way, but that doesn’t mean it’s easy to detect or defend against. These attacks often work by getting a victim to click a malicious link in an email that then loads crypto mining code onto their computer - or by infecting an online ad with JavaScript code that executes through a browser.
Whichever method is used, crypto mining code then runs in the background of a victim’s computer and generates profits for an attacker. For most users, the only indication they’ve been cryptojacked is slightly slower performance, which is why these attacks are so hard to detect.
The Increasing Cost of Cryptojacking
It’s very difficult to assess the scale of cryptojacking, not least because many of the scripts used to hijack victims’ computers are based on legitimate crypto mining software. There is no doubt, however, that the practice is widespread. This rapid growth is due partly to the fact that cryptojacking relies on techniques developed to facilitate a much older form of attack: botnets. Indeed, some cryptojacking mechanisms make explicit use of botnets. The rise in cryptojacking is being driven by how easy it is to implement. It relies on attack vectors that have long been used to deliver ransomware, or to build botnets, which all but guarantees a successful infection will generate revenue for an attacker. With ransomware, criminals are reliant on users paying a ransom, whereas cryptojacking software will run silently in the background, slowly generating income.
How It Works
There are essentially two methods of implementing a cryptojacking attack, and both are quite similar to other forms of attack.
The first is to trick a user into loading crypto mining software onto their computer, as with the recent BadShell attack – a “file-less” malware that did not require a download. The techniques used to do this resemble those used in phishing attacks. A common method, for instance, is to send users a legitimate-looking email encouraging them to click a link. If a user does so, a crypto mining script is loaded onto their computer, and runs silently in the background whenever that machine is on.
The second major method is using scripts embedded in websites to run crypto mining software in a victim’s browser. By far the most common example is use of JavaScript advertisements: By inserting malicious code into the JS scripts that sit behind these, a user’s browser can generate cryptocurrency without their knowledge.
The consequences of infection may sound benign, but they are not. Whilst cryptojacking does not aim to steal information or otherwise damage a victim’s computer, it may be used to deliver malicious code that can. In addition, even if the only outcome of an infection is to slow down a user’s machine, companies can lose significant revenue in tracking down performance issues, or even replacing components that have been wrecked by the demands of crypto mining.
How to Detect It
Cryptojacking can be pretty hard to detect, but there are a few sure signs that your machine, or those of your employees, are infected:
Firstly, don’t rely on standard anti-virus tools or scanning software. One of the factors that makes cryptojacking so hard to detect is many of the scripts used in these attacks are in fact legitimate crypto-mining scripts - and so will not be detected as malware by signature-based security tools.
Instead, look for signs your systems are working harder than they should. Mining cryptocurrency is designed to be a CPU-intensive task, after all, and so a good indication of infection is a machine overheating. If you are in a business environment, this may manifest as a sudden spike in employee complaints about poor performance, or a noticeable increase in CPU wastage through overheating.
Of course, machines working harder than they should can be an indication of many different types of attack, but any sudden decrease in performance should be taken as a flag to investigate potential infection.
How To Prevent It
Because cryptojacking attacks use very similar techniques used in more ‘traditional’ types of cybercrime, the methods to protect against them should already be familiar.
Primarily, be aware of the dangers of phishing-type attacks. Your security training should include building awareness of what attacks look like, and particularly signs that an attacker might be trying to load malicious code.
Because many cryptojacking attacks are implemented through users’ web browsers, improve security on them as well. There are a range of easy ways to improve web browser security. Use a web browser that’s build with security in mind, and use a good ad blocker to disable potentially malicious scripts. Web browser security can also be improved by using a quality VPN, and there are several widely available add-ons specifically designed to detect and block crypto mining scripts.
Beyond this, successfully defending against cryptojacking relies on techniques used to protect against any other form of attack. If your employees bring their own devices to work, this can also be a source of infection when these devices use the same networks or are connected to internal systems. That being the case, be sure to use mobile device management software to manage what’s on them. Above all, keep the software up to date, including browser extensions and the apps on mobile devices.
A Final Word
Whilst the consequences of pure cryptojacking attacks may be limited to decreased performance, this does not mean they’re benign. Rather, becoming the victim of cryptojacking should be a wake-up call: If an attacker manages to load malicious code onto your (or your employees’) machines, this is an indication your security is not as strong as it should be.
Resource Links:
Learn more about key solutions that help your business stay one step ahead of attackers:
https://www.globalsign.com/en/enterprise/
https://www.globalsign.com/en/secure-email/
https://www.globalsign.com/en/managed-pki/
Take a closer look at the challenging cybersecurity landscape – and how you’re business can stay safe:
https://www.globalsign.com/en/company/blog/articles/how-to-spot-a-fake-website/
About the Author
Sam Bocetta is a freelance journalist specializing in US diplomacy and national security, with emphasis on technology trends in cyber-warfare, cyber-defense, and cryptography. You can visit his site here.