A recent study carried out by researchers from three universities – Fudan University, Tsinghua University, and University of California Riverside – was the first of its kind. Although it might have been suspected already, it showed how malicious cryptocurrency mining (also known as cryptojacking) has got both more complex and far more prevalent over time.
What is it?
Just as a wifi thief happily hooks onto your own home network to ‘borrow’ your connection (and if they’ve got criminal intent, any personal information they can get hold of too), a cryptojacker is after your processing power. They use this to mine cryptocurrency, not just making money, but avoiding the attendant costs of mining legitimately. In November of last year (2017), AdGuard reported that Alexa’s top 100,000 websites included 220 closely associated with a cryptojacking risk. And that number is set to increase. In the early noughties, you might have picked up a Trojan from visiting a website with poor security; now you’re looking at acquiring a script to allow criminals to use your processing power to mine currency instead.
Wait – haven’t I read about legitimate examples of this?
Yes, you have. In-browser mining isn’t new, and has many uses. UNICEF’s “Hope Page” offers visitors in-browser mining opportunities to help raise funds. Additionally, you may have read about Coinhive, which offers a script which can be added to websites to offer visitors an enhanced visit. For example, you might get irritated with ads on subscription sites, or want to access extra content not available to other visitors; allowing the site to use some of your processing power during your visit to mine Monero (XMR) gives you access to an ad-free, next-level visit.
And that’s all fine, within the parameters of consent. It’s when it all goes wrong and the transaction is taken out of the visitor’s control that the problems start. That’s exactly what happened when Coinhive was installed on The Pirate Bay – perfectly legitimately – but with an accidental instruction to use all of the visitor’s processing power. Without their consent. And it’s that possibility which makes it particularly attractive to criminals.
What happens now?
The most important outcome of the study is the resultant first attempt to measure the true extent of malicious cryptojacking. This was done by deploying the CMTracker, a detector which examined repeated calculations over some 850,000 websites. Over half of the samples wouldn’t have been picked up by previous surveys.
The CMTracker enjoyed more success by looking at the nature of the computations, and the percentage of execution time spent on hashing. More than 10% earned a report as a cryptocurrency miner. Only 35 of the websites were manually checked as benign, i.e. seeking agreement from users that their processing power would be harvested, and there were no false positives.
The problem for the future is clearly whether this can be stopped. Sophisticated criminal activity needs sophisticated browsers and anti-virus programs, not to mention legitimate mining services taking at least some of the responsibility.