Cryptojacking up 8500% in Q4 2017 – Here’s how to defend against it
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Cryptojacking up 8500% in Q4 2017 – Here’s how to defend against it

Cryptocurrency is fueling a new kind of cyber attack: cryptojacking

A new report from Symantec shows that over the last three months of 2017, instances of cryptojacking rose by an incredible 8500%. Cryptojacking is the practice of hijacking computers to use their processing power to mine cryptocurrency.

Per Symantec, cryptojacking attacks accounted for nearly a quarter (24%) of all online attacks in the month of December, and represented 16% of all attacks over the last three months of 2017.

“Cybercriminals use coin miners to steal victims’ computer processing power and cloud CPU usage to mine cryptocurrencies,” stated the report. “Victims may not even realize a coin miner is slurping their computer’s power as the only impact may be a slowdown of their device that they could easily attribute to something else.”

It’s not just computers and phones that are being targeted, either. Symantec also noted a 600% increase in attacks on IoT (internet of things) devices. So, what can you do to help defend against these attacks? Let’s Hash it out.

Where did Cryptojacking Come From?

Cryptojacking has a relatively interesting backstory, and it starts with the blockchain technology that powers Bitcoin. We’ve covered it a little more in depth before, but here’s a quick version. I’ll be referring specifically to Bitcoin for this explanation, but what I’m describing affects other cryptocurrencies as well.

Bitcoin’s blockchain is a decentralized ledger that records transactions. What powers the blockchain is a concept called proof of work. As transactions are made they are broadcast and compiled by nodes called “miners.” These miners are racing to complete the blocks. To accomplish this they are using the computer processing power at their disposal to try to compute what is called a “hash.” When a hash is computed, a new block begins and the process starts anew. All of the other miners add the finished block to their chains and start working out the hash for the new one.

Basically, the miners are using processing power to solve a complicated math problem. When they do, when a hash is computed, the miner receives a reward in the form of whatever cryptocurrency they’re mining. The exact total of the reward is contingent upon other factors, but for a long time – specifically around the end of 2017, when Bitcoin was trading at record highs – there has been a kind of arms race between miners looking to collect big.

A Cryptojacking Arms Race

The thing about the proof of work concept that has made Bitcoin so successful will also be the same thing that makes it all collapse: the amount of work that actually needs to be done to find a hash. Initially the proof of work concept was designed so that it would be difficult enough to solve for the hash so as to prevent vulnerabilities, but also easy enough that block generation wouldn’t be stunted. And it needed to be easy to check too, so that all nodes can analyze it before adding it to their chains.

The resulting method was proof of work, which allows for regular block generation, but requires miners to exert a constantly-increasing amount of processing power in order to keep finding the hash. This has not scaled well.

Last November the Bitcoin network used more power than the entire Republic of Ireland. And as the Bitcoin blockchain continues to generate new blocks it becomes harder to compute the hash, meaning even more processing power is needed. And by the way, the reward keeps getting smaller. So more work for less Bitcoin. If you’re a miner, what do you do? How do you balance rising expenses with diminishing returns?

Easy, you “borrow” other people’s processing power and make them foot the bill for the power. Thus, the birth of cryptojacking, where hackers use malware to siphon off your processing power so they can mine cryptocurrency. And actually, you don’t even need to be a hacker, per se. You can find cryptojacking kits for as little as 30 dollars on the dark web.

How does Cryptojacking Work?

There are two main ways that an attacker can get someone’s computer to clandestinely mine cryptocurrency. The first, more straightforward approach is simply to trick the victim into downloading cryptomining code on to their system. This can be done in a number of ways, like using standard phishing tactics or hiding it in a mobile app.

The second method involves injecting a script into a website or an ad that will be delivered to other websites. As soon as the victim arrives at the website or the infected ad is shown, the script executes automatically. This method leaves no code stored on the victim’s computer, rather it runs in their browser.

Whichever way the infection occurs, the cryptomining code runs, causing the compromised system to begin trying to compute the hash and sending the results to a server controlled by the attacker. Oftentimes, attackers will use both methods to try to optimize their returns.

What’s unique about Cryptojacking is it actually does no damage to the infected system, nor does it steal or manipulate any data. It just borrows some processing power.

How to Prevent Cryptojacking

Here are some actionable items to help you and your organization avoid Cryptojacking threats:

  • Double down on your Phishing training – While this won’t prevent the script-injection attacks that oftentimes infect computers and mobile devices with cryptomining scripts, it will help to prevent attacks that leave code on your system via social engineering. Remember, your employees represent one of your biggest security threats, so make sure to continue educating them on this and similar phishing threats.
  • Install an Ad-Blocking extension to your browser – This won’t prevent Cryptojacking by phishing, but it will help to mitigate the script-injection attacks that will have your browser attempting to mine. You may also want to look into an anti-cryptomining extension like MinerBlock, too.
  • Keep web filtering tools updated – Make sure to maintain the most up-to-date versions of your web filtering tool possible. If you do happen to run across a page that is injecting cryptomining scripts, make sure that you report it immediately, and if you’re at a company or organization, make sure your co-workers are blocked from accessing it, too.
  • Maintain your browser extensions – Sometimes attackers are able to use malicious browser extensions, or else they poison legitimate ones, in order to infect you. Stay on top of your extensions, look for any that seem to appear from out of nowhere and always check for updates.

How to know if you’ve been cryptojacked

Cryptojacking can take a huge toll, especially on large organizations with large digital infrastructures. That’s mainly due to the fact that Cryptojacking is difficult to detect. As we discussed, Cryptojacking doesn’t do any damage to the infected system. It can hide from signature-based detection and antivirus tools sometimes, too. Even regular users of the compromised systems may not be able to tell they have an issue. After all, performance degradation can be caused by a litany of issues.

What you can do is train your organization’s IT department to look for subtle signs like an uptick in complaints over performance and overheated devices. But your best bet is going to be installing a network monitoring solution to monitor your perimeter and review all web traffic. A good network monitoring system is granular enough to view the activity of individual users, which helps to identity infected devices.

Unfortunately for the average person at home, figuring out whether you’ve been cryptojacked is much harder given that many antivirus programs won’t see the cryptomining script.

What to do if you’ve been cryptojacked

Fortunately, fixing your cryptojacked machine is straightforward. For in-browser cryptomining scripts it’s as easy as closing the tab the script is running in. You may also want to block the malicious or compromised site that launched the script in the first place.

Additionally, you will probably want to purge your browser extensions and then re-install the latest versions of the ones you want to keep.

Cryptojacking is more annoying than it is dangerous. That being said, now you know what to look for. So the next time your phone starts overheating, remember – it might be mining cryptocurrency.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.