Cryptojacking: What the heck is that?
Even though cryptocurrency has its pricing ups and downs, it's still a prominent tool for attackers. Most people think that hackers look for opportunities to steal cryptocurrency, but attackers can obtain incredible payoffs by tricking users and businesses into mining cryptocurrency for them. In a successful cryptojacking attack, user and business devices run silent crypto-mining malware and send it to an attacker-controlled account.
Why Is Cryptojacking Profitable for Attackers?
Generating cryptocurrency is profitable if its value goes up. The downside is that it requires electricity to perform calculations to generate your chosen cryptocurrency. In many cases, the cost of electricity is more than the value of a generated coin. Most cryptocurrency miners are located in regions where the cost of electricity is low, but it's rare for electricity to be cheap enough for mining to stay profitable.
Crowdsourcing cryptocurrency mining is a legitimate business, but you must share profits with other miners. However, you can take all profits if you get numerous people to mine for you using their own electricity. In this scenario, you take all profits and have no costs of doing business. You don't even have the cost of cloud-based mining resources and electricity to factor into your profits.
Using cryptojacking, an attacker leverages other devices to mine cryptocurrency silently. The devices used could be a smartphone, tablet, server, or desktop. The more resources available to the machine, the more mining that can be done. For example, cryptojackers target enterprise servers for their high-end hardware, fast processing, and extensive memory. Successful enterprise attacks can make attackers millions in profits.
How Does Cryptojacking Work?
One common benefit of cryptocurrency is that it's a decentralized digital asset. Your coins can be stored in a wallet, but the act of generating them is done by thousands of hosts located across the globe. This makes it easier for attackers to target victims because every device becomes a potential mining machine. Attackers must overcome a target's cybersecurity and defenses, but then it's only a matter of time. The longer the malware runs on the target device, the more digital profits an attacker can make.
A cryptojacking attack can be done in the form of malware installed on a target machine, or an attacker can trick a user into accessing a web page running crypto-mining scripts. Another option is to inject crypto-mining into an open-source repository where several developers download and use the target code for their own projects. The latter option is called a supply-chain attack, and it requires a takeover of the developer's code.
For individuals, a simple click of a URL in a malicious email message will suffice for cryptojacking, but it's not permanent. As soon as the user leaves the page, the mining software can no longer execute. A better attack is persuading users to install malware on their local devices. After the cryptojacking malware installs on a device, it uses as many resources as possible to mine cryptocurrency. More sophisticated malware will use only partial resources to avoid alerting the user that something is wrong with their device. Poorly written cryptojacking malware will crash the device, rendering it unusable. When the device crashes, it can no longer mine cryptocurrency, so malware authors build safeguards into their software to avoid this issue.
Web-based cryptojacking malware is written in JavaScript because the attacker needs the malware to run on the user's local device. Servers are also targets, but it involves more sophisticated malware that runs directly on the server and obtains access to the server's resources. It must also avoid enterprise antivirus software, which is much more difficult than bypassing individual user cybersecurity.
Targeting enterprise cloud servers is especially profitable for an attacker. An attacker aims to steal API keys or private cloud platform keys from businesses to then use them to spin up resources used solely for crypto-mining. Because cloud-based servers essentially have endless amounts of resources, they are primary targets for large payouts. These targets also don't have users on them to identify performance issues, so they can execute for months on an advanced target without the corporate administrators noticing any lag.
What are the Signs of a Cryptojacked Device?
Because crypto-mining requires advanced computing resources, the prominent sign that you could be a victim is slow computer performance. Most people assume that their device must be upgraded, or the issue lies with the device itself. This incorrect assumption helps the attacker mine more coins until the user gets a new device. Even with an upgrade, the device will still have poor performance because the cryptojacking malware will use the additional resources installed.
The loss of computing performance is immediate, so you can assume you might be a victim of cryptojacking malware if your computer suddenly runs slowly after opening a web page or installing a particular application. Any software running on the local machine runs painfully slow, your computer might warn that it's out of memory, or it could crash. Rebooting the device does nothing for it because good cryptojacking malware starts when the machine reboots.
For enterprise cloud-based target servers, a primary red flag that could be a sign of a compromised system is higher computing costs. When an attacker gains access to cloud platform keys, a primary goal is to create virtual machines to host cryptojacking malware. In a large enterprise, the cloud could host dozens of virtual machines. One or two additional high-powered virtual machines would then go unnoticed. Administrators might notice a severe increase in cloud computing costs and find that the new virtual machines cost much more than the legitimate ones.
Conclusion -- Avoid Becoming a Cryptojacking Victim
The best way to avoid becoming a cryptojacking victim is to always have antivirus software running on your devices, and you should avoid clicking links in emails from untrusted sources. If a web page exhausts computer resources, close the browser tab immediately and your device will recover.
Cryptojacking is a legitimate concern for businesses, and users should be trained to identify malicious email messages. Avoid installing any untrusted third-party applications, and enterprise administrators should always keep their cloud platform keys safe from access. Keys should be treated as if they were network passwords. With the right safeguards in place, your enterprise can avoid being the next target for cryptojacking malware.
