Are you slaving away to make someone else a cryptocurrency fortune?
Researchers at Palo Alto Networks look at Monero mining using Coinhive, one of the more popular browser-mining services.
Cryptocurrencies have taken the world by storm. Bitcoin's volatile pricehas both fallen and risen, and the media has tracked its ever-accelerating rates, going from $0 to $1,000 in 1,789 days, from $1,000 to $2,000 in 1,271 days and from $6,000 and $7,000 in just 13 days. According to Google Trends, global searches for "buy bitcoin" have overtaken "buy gold" after previously exceeding searches for how to purchase silver.
Naturally, the booming price of Bitcoin and other cryptocurrencies has not been ignored by cybercriminals. For some time now, they have been using these currencies in their operations, for example demanding ransomware payments into cryptocurrency accounts. This may well be driven by the rising value of cryptocurrencies, as well as the increased anonymity offered by many cryptocurrencies compared to traditional banking.
This, and worries about the over-hyping of cryptocurrency values, have led many people to keep their distance. However, a new investigation by researchers at Palo Alto Networks has revealed how some of us could be making others rich in cryptocurrency without our knowledge or sharing in the gains.
The scam relates to how cryptocurrencies are accumulated. Mining is a computationally intensive process that computers comprising a cryptocurrency network complete to verify the transaction record, called the blockchain, and receive digital coins in return. Many sites are harbouring code that secretly uses a visitors' computer to mine the valuable cryptocurrency. The code is inserted by hackers who exploit poor site security or web software bugs. Cryptocurrency miners can run mining software on their computers to generate a meaningful income.
However, this requires a considerable amount of computing power, which explains why browser coin mining has taken off recently. Although the computing power per instance is much less than dedicated hardware can deliver, being able to leverage many users on various sites can more than make up for it.
Coinhive is one of the more popular browser-mining services out there, and offers site owners a piece of JavaScript for easy integration. While this is a legitimate method if everyone is aware it is happening, we recently released details about how some websites are hiding Coinhive coin mining scripts in their sites, without the knowledge of site visitors. What's happening is that a visitor's computing resources is press-ganged into running processor-intensive coin mining operations throughout the duration of the site visit.
The activity itself doesn't cause long-term damage to systems, and ends as soon as users leave the site. While the site will still provide users with its normal, intended functionality, users are likely to experience a noticeable slowdown in system performance.
Site owners get a hefty cut of the illicitly mined cryptocurrency. For example, with Coinhive they are mining XMRs (Moneros) for Coinhive, and Coinhive pays out 70% of mined value to site owners.Those operating the script are awarded new coins upon the site visitor completing the processor-heavy calculations, no matter whose computer systems carried out the actual processing tasks. Given the soaring value of cryptocurrencies, this is a lucrative business with a new player, Crypto-Loot, offering similar services and paying out 88% of revenue.
The use of Coinhive or similar mining services is itself not a malicious activity – it is how they are used that makes the sites malicious.For the sites that we were able to observe engaging in crypto-mining activities, none of them prompted the user with any sort of warning, let alone provided the kill switch for mining.
It seems this trend for unauthorised coin mining is spreading. Our researchers identified that five sites in the top 2000 most visited sites (according to Alexa traffic ranking) had the mining technology on their sites. While currently it seems many of the users who are slaving in a coin mine without their knowledge are American, the number of European and Asian victims is growing.
So, what can you do about this problem?
There are some ways to protect against this fast-growing threat. It's important to block URLs hosting the Coinhive JavaScript files, as these scripts are consuming system resources without a users' knowledge or consent. Popular browser plugins such as Adblock plus or Adguard help to block such mining scripts. Combining these with a good firewall ensures your precious CPU time and electricity are not exploited by sneaky scripts.
If you are experiencing a noticeable slowdown in system performance and believe your system is being affected, leaving the site or closing your browser will, in most cases, end the coin mining. Additionally, you should practice all of the usual,good cybersecurity hygiene to prevent becoming someone else's coin miner. This means avoiding unfamiliar websites, clicking on links or downloading attachments from unknown email senders, keeping products updated with the latest security patches and enabling multi-factor authentication.
To repeat, this new trend isn't exactly a cybercrime, nor are coin-mining programmes malware. However,how this software is deliberately being used by some site owners without a customer's consent is malicious. With cryptocurrency valuations soaring, we are likely to see more of these secret coin mines spawning across the Internet.
About the author: Alex Hinchliffe is part of the threat intelligence analyst at Unit 42, Palo Alto Networks.