To understand cryptojacking: basic definitions
Before delving into this new cybercriminal process, let's look at the concepts behind it.
Cryptojacking revolves around cryptocurrency mining, a process in which users take advantage of infrastructure systems and their computational resources to verify digital transactions and reconcile the associated hash function algorithms. This process allows users to create the next block of transactions on the blockchain, the unalterable digital ledger where all cryptocurrency transactions are recorded and compiled. After a transaction is verified, the next block on the blockchain is created - once established, the blocks on the blockchain and the transactions associated with them cannot be adjusted or changed.
"Whenever a cryptocurrency transaction is made, a cryptocurrency miner is responsible for ensuring the authenticity of the information and updating the blockchain with the transaction," explains Webopedia. "The mining process itself includes competing with other cryptominerers to solve complex mathematical problems with cryptographic hash functions that are associated with a block that contains the transaction data", that is: the miner who can solve the hash functions first can then authorize the transaction and have a small gain in cryptocurrency for contributing to the blockchain.
It was this competitive nature and the potential for reward - despite being only a small amount per transaction - that attracted hackers and other malicious agents to the scene.
Cryptocurrency mining vs. cryptojacking: what's the difference?
Legitimate users, using their own systems and the necessary specialized hardware, can practice cryptocurrency mining. In fact, as stated above, this process is essential for verifying transactions that depend on the use of cryptocurrencies and for the continued growth of blockchain, the ledger inherent in them.
However, there is a lot of difference between the legitimate and necessary cryptocurrency mining and the malicious processes of cryptojacking. The difference here is in the authorized use: cryptocurrency miners use their own systems and are therefore allowed to use their computational resources to resolve the associated hash functions and create the next transaction block on the blockchain. Those who practice cryptojacking, on the other hand, invade and use other people's systems in an unauthorized manner.
In cryptocurrency mining, the miner is the authorized user of the system being used and reaps a small fee in cryptocurrency for checking transactions. In cryptojacking, this remuneration goes to the hacker who hacked and is stealing resources from other users' systems.
As CSO writer Michael Nadeau explains, the infection process is somewhat similar to other attack styles like ransomware: "Hackers either make the victim click on a malicious link sent via email that loads the cryptomineration code on the computer, or they infect a website or online ad with JavaScript code that self-executes when loaded into the victim's browser, "Nadeau writes. "Either way, the crypto-mining code then works in the background while the victims, without knowing it, use computers normally."
Once infected, users are often unaware that their system was used for cryptojacking by an unauthorized intruder. Thus, the malicious agent can allow cryptocurrency software to operate in the background and enable them to make gains by verifying transactions in cryptocurrencies.
As Nadeau shows, the only more or less obvious sign of cryptojacking is a sluggishness or lag in the performance or execution of actions, which can also be a symptom of a number of other types of infection or system problems.
Cryptojacking campaign discovered: infected real-time support platform
A concrete proof of the increase in cryptojacking is in the growing discoveries of infected websites, spreading cryptomining software to visitors who do not suspect anything. Trend Micro manifested itself precisely in an instance like this in November 2017, in which a considerably large cryptojacking campaign was discovered. It revolved around a real-time chat and support platform.
Security researchers found that about 1,500 websites that had a real-time chat platform widget and support were infected and were being used for cryptocurrency mining.
"A copy of the in-browser cryptocurrency miner was found inside a JavaScript file used by LiveHelpNow, a real-time chat and support platform that was being uploaded to websites," said Trend Micro.
This problem is compounded by the fact that the JavaScript code does not need to be installed specifically to enable cryptojacking - users only need to visit the affected websites that have the LiveHelpNow widget with the Coinhive code. When a user loads the page, the mining code automatically runs inside the browser.
Many of the 1,500 sites affected by the infected LiveHelpNow widget were from e-commerce companies and small private businesses. Interestingly, the attackers chose a great time to deploy the crypto mining code - just before the busy shopping season at the end of the year.
Famous names like Everlast were on the list of affected websites in this cryptojacking campaign. Websites from other organizations - like Politifact, Showtime and even Pirate Bay - have also been affected by the crypto mining code.
"The CPU usage of users who access the affected websites skyrockets while Coinhive's script undermines the Monero cryptocurrency for third parties," explains Trend Micro.
For companies: preventing Cryptojacking
While cryptojacking is certainly a notorious risk for all users, the threat can be much more damaging to companies. When available CPU resources are being used to support crypto mining, the performance of other platforms that depend on these resources will suffer. This can prevent employees from being able to work properly and use the company's platforms and necessary software. And while cryptocurrency mining and cryptojacking are still in their infancy, now is the time for organizations to prepare to defend themselves against this threat.
First, it is essential to include cryptojacking as part of security awareness training. When employees, and especially IT staff, understand what they are dealing with, they can help reduce risk. There are also ad blocking and anti-crypto-mining extensions that can be installed on browsers to help prevent infections. Endpoint protection and specific, robust solutions can help protect organizations and their users by quickly detecting and blocking malicious files and websites.
Disclaimer: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies.