Cryptojacking Attack
Cybercriminals hack devices to install cryptojacking software. The software works in the background, mining cryptocurrencies or stealing cryptocurrency wallets. Unsuspecting victims typically use their devices, although they may notice slower performance or lags.
Hackers have two main ways to get a victim’s device to secretly mine cryptocurrencies:
- By forcing the victim to click on a malicious link in an email that loads the cryptomining code on the computer
- By infecting a website or online ad with JavaScript code that automatically executes when loaded in the victim’s browser
Hackers often use both methods to maximize their return. In either case, the code places the cryptojacking script on the device, which runs in the background while the victim is working. Regardless of the method used, the script performs complex mathematical problems on the victims’ devices and sends the results to a server controlled by the hacker.
Unlike other types of malware, cryptojacking scripts do not harm victims’ computers or data. However, they steal computer processing resources. For individual users, slower computing performance can just be an annoyance. But cryptojacking is a problem for businesses because organizations with many cryptojacked systems incur real costs. For example:
- Use the time of support and IT staff to find performance issues and replace components or systems in the hope of fixing the problem.
- Increased electricity costs.
Some cryptomining scripts have worming capabilities that allow them to infect other devices and servers on a network. This makes them more difficult to identify and remove. These scripts can also check if the device is already infected with competing cryptomining malware. If another cryptominer is detected, the script disables it.
In early cases of cryptomining, some web publishers sought to monetize their traffic by asking visitors for permission to mine cryptocurrencies on their site. They positioned it as a fair exchange: visitors would receive free content while sites would use their computers for mining.
For example, on gaming sites, users can stay on the page for a period of time while the JavaScript code searches for coins. Then, when they left the site, the cryptomining ended. This approach can work if the sites are transparent about what they are doing. The difficulty for users is knowing whether the sites are honest or not.
Malicious versions of cryptomining – that is, cryptojacking – do not ask for permission and continue to work long after leaving the original site. This is a technique used by owners of questionable sites or hackers who have compromised legitimate sites. Users have no idea that a site they have visited is using their computer to mine cryptocurrency.
The code uses just enough system resources to go unnoticed. Although the user thinks the visible browser windows are closed, a hidden window remains open. Often times, this can be a pop-under, which is sized to fit under the taskbar or behind the clock.
Cryptojacking can even infect Android mobile devices, using the same methods that target desktop computers. Some attacks occur via a Trojan horse hidden in a downloaded application. Or users’ phones may be redirected to an infected site, leaving a persistent pop-unders. While individual phones have relatively limited processing power, when attacks occur in large numbers, they provide sufficient collective strength to justify the efforts of cryptojackers.
Cryptojacking Attack Examples
Here are some of the examples of Cryptojacking Attacks mentioned below.
Cryptojacking Attack Example – 01
In 2019, eight separate apps that were secretly mining cryptocurrency with the resources of whoever downloaded them were kicked from the Microsoft Store. The apps are said to have come from three different developers, although it is suspected that the same individual or organization was behind them all.
Potential targets could come across cryptojacking apps through keyword searches of the Microsoft Store and major free app listings. When a user downloaded and launched one of the apps, they inadvertently downloaded cryptojacking JavaScript code. The miner would activate and start searching for Monero, using up a significant amount of the device’s resources and thus slowing it down.
Cryptojacking Attack Example – 02
In 2018, a cryptojacking code was discovered hidden on the Los Angeles Times Homicide Report page. When visitors went to the Homicide Report page, their devices were used to mine a popular cryptocurrency called Monero.
The threat was not detected for a while because the computing power used by the script was minimal, so many users would not be able to detect that their devices had been compromised.
Cryptojacking Attack Example – 03
In 2018, cryptojackers targeted the operational technology network of a European water utility control system, severely affecting the ability of operators to manage the utility plant.
This was the first known case of a cryptojacking attack against an industrial control system. Similar to the Los Angeles Times hack, the miner generated Monero.
Cryptojacking Attack Example – 04
In early 2018, it turned out that the CoinHive miner was serving on YouTube ads through Google’s DoubleClick platform.
Cryptojacking Attack Example – 05
In July and August 2018, a cryptojacking attack infected more than 200,000 MikroTik routers in Brazil, injecting CoinHive code into a huge amount of web traffic.
