What Is Cryptojacking (and How to Avoid This Coin-Mining Malware)

Since the autumn of 2017, many websites and even some critical-infrastructure computer networks have been infected by, or deliberately set up to host, coin-mining programs.

Igor Stefanovic/Shutterstock

Igor Stefanovic/Shutterstock

These programs use a computer or smartphone's processing power to "mine" cryptocurrency — to literally make money — for the programs' controllers. These programs are not always malicious, but they will slow down computers and can even damage some smartphones.

When coin miners are used without the consent of the device owner, that's called cryptojacking, and it's definitely unethical and possibly illegal. Cryptojacking is hijacking — or in this case, the unauthorized diversion of a computer's or smartphone's resources to mine cryptocurrencies.

"Cryptomining malware, or cryptocurrency-mining malware, or simply cryptojacking, refers to software programs and malware components developed to take over a computer's resources and use them for cryptocurrency mining without a user's explicit permission," said Nadav Avital, an application-security-research team leader at the California enterprise-security firm Imperva.

How to Prevent Cryptojacking

Cryptojacking has replaced encrypting ransomware as the cybercriminal weapon of choice. Thanks to the rise of Bitcoin and the growing popularity of many other cryptocurrencies, it may have been only a matter of time before the bad guys found a way to exploit other people's computer systems for their benefit.

"In most cases, devices are surreptitiously infected via compromised website code — advertising or third-party content — that executes JavaScript to either call to another resource or drop an exploit kit," said Chris Olson, CEO of The Media Trust, a Virginia information-security firm.

Cryptojacking is much less harmful than encrypting ransomware, and for many victims, it's often just an annoyance as system fans speed up and everything else slows down.

However, because of the way the coin-mining software monopolizes system resources, users lose full use of the machine, which can become slow or even inoperable. Due to the large amount of power required for mining, your electric bill could go up, and an unexplained utility-bill increase could be a sign that you've been infected by cryptomining malware.

Fortunately, there are easy ways to avoid being cryptojacked. Antivirus software will block most infectious coin-mining software and some browser-based miners. Script-blocking browser extensions such as NoScript for Mozilla Firefox or ScriptBlock or ScriptSafe for Google Chrome will prevent all browser miners from running.

One Chrome extension, Coin-Hive Blocker, specifically blocks the the Coinhive browser script, a small program that, when added to a website, uses web visitors' computers to mine the Monero cryptocurrency.

Browser-based coin miners are not illegal. Many websites, such as Salon andWindscribe, use them openly and alert users that they are running, often giving visitors a choice about whether to let their processing power be "borrowed." (Warning: The Windscribe links takes you to a mining page.)

Some other sites knowingly deploy Coinhive or other browser cryptominers without telling visitors, which may be unethical but is probably legal.

But not every tech company is comfortable with coin mining — Apple kicked even legitimate coin-mining apps out of its App Store in June.

Even if you don't have any interest in cryptocurrency, you may be indirectly impacted by surreptitious cryptomining, especially if the mining software is programmed to use 100 percent of a machine's processing resources. (It usually isn't.)  

The Rise of Cryptojacking

Cryptojacking began to make headlines in the fall of 2017. A few months earlier, a company called Coinhive had developed a snippet of JavaScript that, when placed in a web page, could mine Monero using the processing power of computers running visiting web browsers.

In mid-September, the file-sharing website The Pirate Bay tested Coinhive on its website without notifying users. The website of the Showtime premium cable channel also ran Coinhive for a few days, although it's still not clear who put the script on the page.

In November 2017, nearly 2,500 websites ran Coinhive, But by June 2018, the antivirus company McAfee said that number had risen to 30,000 sites — not all of whose administrators were aware of the program's presence.

Overall coin-mining malware activity increased by nearly 1,200 percent from the autumn of 2017 to the winter of 2018, McAfee said, while ransomware attacks dropped 32 percent. Similarly, Kaspersky Lab saw ransomware reports drop by nearly 30 percent in the year ending March 2018, when compared to the previous year, while cryptomining malware reports went up nearly 45 percent.

The headlines from the first six months of 2018 tell the story. YouTube was hit by coin-mining ads. More than 500,000 Windows servers were infected with coin-mining malware. An estimated 60 million Android users were lured to a coin-mining site, whose activity could have taxed older phones to the point of overheating. A European bank reportedly found coin-mining software installed by a rogue employee in its data center. And a coin-mining worm spread among Amazon Fire TV devices that had been modified to stream pirated content.

Understanding Cryptocurrency Mining and Cryptojacking

Cryptocurrency mining uses computing power to solve difficult mathematical puzzles called proof-of-work functions, Avital said. Each block of completed puzzles generates a fixed amount of new cryptocurrency.

However, as the puzzles get harder over time, mining Bitcoin and some other well-established cryptocurrencies is no longer an easy task for individual PCs. Some Bitcoin miners use specialized hardware, and many coin miners join mining pools in which many computers combine their resources and divide the spoils.

The Coinhive service is a sort of mining pool, even though the end users don't get a cut. Instead, website operators get 70 percent, and Coinhive gets 30 percent. But that's only if it's used legitimately.

Malicious Coinhive users modify the code so that 100 percent of the take goes to their own Monero wallets. These snippets of altered code get put into websites without the operators' knowledge, or are loaded into online ads over which websites have next to no control.

How Cryptojacking Attacks Work

According to Olson, cryptojacking comes in two forms: device infection or website execution.

Device infection follows the same paths as traditional malware infection. A piece of software sneaks onto a machine by by piggybacking on a desired program, by hiding on a USB drive, by being secretly downloaded from a malicious website or by posing as an innocuous email attachment or a free piece of software. The miner installs itself in the background and starts to work.

In website execution, nothing is installed. Rather, JavaScript on a displayed web page spurs the CPU of each visiting machine into action. Once the page is no longer loaded, the activity stops.

"In both forms, CPU power is hijacked for extended periods of time, even when the device or browser session is not in use," Olson said. "Many consumers never realize their device's processing power is being siphoned off to mine for cryptocurrency."

The end game for cybercriminals, not surprisingly, is financial gain. In a cryptomining scenario, the reward is clandestine access to the processing power in a user's device.

"Criminals reap the benefit of faster mining without the hassle of purchasing and managing a server farm," Olson said. "There's little downside as most device owners have no idea they have been compromised."

The Future of Cryptojacking

If large data centers or web-hosting providers become compromised by coin-mining software, we could see a reduction in website speed globally, said Justin Jett, director of audit and compliance for Maine security firm Plixer.

Hackers are starting to target critical infrastructure with mining attacks, warned Nick Bilogorskiy, a cybersecurity strategist at Juniper Networks, a California networking company.

"Cryptocurrency-mining malware was recently found in the network of a water-utility provider in Europe," Bilogorskiy said. "Malware was probably installed after someone used a browser on a server to visit a website, then the malware likely exploited network file shares to move through the utility company's computers."

Researchers at Cisco Talos Labs expect coin-mining criminals to turn next to Internet of Things devices. Although smart refrigerators, TVs and thermostats aren't powerful compared with computers or even smartphones, the sheer number of smart devices available may compensate for the lack of processing speed.

Even for those computer users who don't mine for cryptocurrency, this threat is of real concern.

"Because the cryptojacking software causes your computer's resources to be maxed, it reduces the machine's ability to run other processes, which, in turn, reduces the user's ability to perform other tasks efficiently," Jett said. "As such, cryptojacking as a whole can easily reduce societal productivity."

Sue Marquette Poremba is a security and technology writer based in Central Pennsylvania.