One of the first cryptojacking services was Coinhive. This was a collection of JavaScript files offering website owners a means to earn money from their visitors. In March 2019, Coinhive ended its services forever, but other versions still exist on the internet.
The number of attacks appears to follow the value of cryptocurrency. According to an Enisa report, there was a 30% year-on-year increase in the number of cryptojacking incidents in 2020.
The same report said Monero (XMR) was the cryptocurrency of choice for 2019 cryptojacking activities because of its focus on privacy and anonymity. This means Modero transactions cannot be traced. Also, Monero designed its proof-of-work algorithm to make mining viable with a standard CPU instead of specialized hardware. This ASIC-resistant mining algorithm makes it perfect for machines infected with cryptojacking malware.
Overall, cryptojacking is popular because it doesn’t need a connection to a command-and-control server operated by the hacker. It can also go undetected for a very long time, so hackers can make money anonymously without fear of law enforcement knocking on their doors.
Another motivation is money — cryptojacking is cheap. According to a report from Digital Shadows, kits to get you started in cryptojacking cost as little as $30. In one campaign, hackers made as much as $10,000 per day from crypto mining.
What are some real-life examples of cryptojacking?
In 2019, several apps that were secretly mining cryptocurrency with the resources of whoever downloaded them were ejected from the Microsoft Store. Potential victims would find the apps through keyword searches within the Microsoft Store. When downloaded, the apps also downloaded cryptojacking JavaScript code to mine Monero.
In 2018, cryptojacking code was found hidden within the Los Angeles Times’ Homicide Report page. This also mined Monero.
Another high-profile victim of cryptojacking was Tesla. An investigation by cyber security firm Redlock found that hackers had infiltrated Tesla’s Kubernetes console which was not password protected. They installed mining pool software and configured the malicious script to connect to an “unlisted” or semi-public endpoint.
In 2018, Trend Micro observed a group of hackers it called Outlaw trying to run a script in one of Trend Micro’s IoT honeypots. By the end of the same year, the hackers had over 180,000 compromised hosts under their control.
In 2020, Palo Alto Networks discovered a cryptojacking scheme that used Docker images to install cryptomining software on victims’ systems. The cyber criminals inserted code within Docker images to avoid detection. The infected images helped criminals mine cryptocurrency worth an estimated $36,000.
What are some known cryptojacking malware?
There are quite a few examples of cryptojacking malware. Some examples include:
- Smominru: This cryptojacker compromises Windows machines using an EternalBlue exploit and brute-force on various services, including MS-SQL, RDP, Telnet, and many others.
- Badshell: This uses fileless techniques and hides in Windows processes.
- Coinhive: This was a legitimate website monetization tool but is the world’s largest cryptojacking threat.
- MassMiner: This is a cryptocurrency-mining malware that has been spotted using worm-like capabilities to spread through multiple exploits.
How do you know if you are a victim of cryptojacking?
Cryptojacking is virtually undetectable in most cases. However, there are a few signs that your computer could be a victim, including the computer heating up, making loud fan noises, draining batteries faster than usual, decreased performance, shutting down due to lack of available processing power.
You should consider closing and blocking any website suspected of running cryptojacking scripts if you see these symptoms. You should also update or delete any questionable browser extensions.
Can you prevent your devices from being a victim of cryptojacking?
Prevention is always better than cure, and there are a few things users can do to prevent their machines from succumbing to a cryptojacking incident.
Among them is installing an ad-blocker, as most of them can prevent cryptojacking scripts. You should also keep your systems updated with the latest software and patches for your operating system and all applications — particularly web browsers. Many attacks exploit known flaws in existing software.
Organizations can make a list of URL/IPs of infected cryptojacking sites and domains of crypto-mining pools to block. They can also implement network system monitoring to identify excessive resource usage.
