What is Cryptojacking: Working, detection, & prevention

The future of money is digital currency

Here is a comprehensive article about everything you need to know about cryptojacking, how it affects your security, and ways to detect and prevent your computers from being (ab)used for cryptojacking.

21st Century is the digital age. From shopping online to financial transactions, we rely on digital transactions for everything. The focus on digital transactions created a boom in digital currencies, and subsequently, in cryptojacking.

Cybersecurity company Webroot included Cryptojackers in its list of the nastiest malware. 

What is Cryptocurrency?

Cryptocurrency is a digital currency created when computers solve highly complex mathematical calculations to verify transactions in a peer-to-peer network. When a computer solves the equations, the user gains a piece of that Cryptocurrency.

Believe it or not, Cryptocurrency was an accidental invention by Satoshi Nakamoto (a pseudonym) in 2009. The primary intent behind this invention was to create a centralized cash system. This innovative technology is now global and is becoming more widely used and accepted each year. Bitcoin, the first Cryptocurrency, was created in the year 2009. Today, there are more than 2,995 different types of Cryptocurrency.

Cryptocurrencies operate based on a distributed database known as ‘blockchain.’ The blockchain is updated constantly with information about every transaction that takes place. Each set of these transactions is combined into a ‘block’ by using complex mathematical computations.

Cryptocurrencies inherently require individuals to provide computing power. This computing power is utilized to produce new blocks and reward people who supply the computing power with Cryptocurrency. After every new block, some new Cryptocurrency is created and awarded to the miner that solves the validation equation first. The process of trading computing resources for currency is called ‘MINING .’ The people involved in this process are called ‘Miners’.

Although Cryptocurrency comes with financial rewards, it involves threats as well as risks. With the increase in the different cryptocurrencies and their rise in value, cybercriminals are shifting their focus from ransomware to cryptojacking due to lower risk and higher potential for financial gain.

If you would like more details about Ransomware, you may like to refer to our blog post which covers the details around Ransomware.

Another challenge is, that cryptojacking is not easily detectable, and allows cybercriminals to use compromised computing systems and networks to mine for cryptocurrencies.

What is Cryptojacking?

Cryptojacking is a cybercrime that involves the unauthorized use of people’s devices (computers, smartphones, tablets, or even servers) to mine for Cryptocurrency. Cryptojacking occurs when computers are hacked with the intent of installing malicious software.

Once the installation is done, the computers are used to remotely “mine” cryptocurrencies. The main challenge of cryptojacking is that it is hard to detect. Hackers use cryptojacking to steal computing resources from their victims’ devices and can also steal Cryptocurrency from people’s digital wallets. Cryptojacking helps them avoid the overhead cost of building a dedicated crypto mining computer.

Most cryptojacking softwares are tough to detect. Cryptojacking slows down your computer, increases your electricity bills, and shortens the life of your device. The motivation behind cryptojacking is simple: money. It is an effective, inexpensive way to mine valuable coins.

When did Cryptojacking first start?

Cryptojacking first started in 2017 with Coinhive, which was the first known (legal) cryptojacking service, a set of JavaScript files that offered website owners a new way to earn money from their visitors. Once embedded in a website, Coinhive used the computer resources of visitors to mine Cryptocurrency.

2017 was the period of Cryptocurrencies. Well-known cryptocurrency Bitcoin was booming, and Cryptojacking rose to fame. Around this period, Coinhive rose to fame.

After its release, Coinhive’s code started appearing on thousands of websites. The scripts were embedded in the targeted websites to secretly drain the resources of visitors’ devices and mine Cryptocurrency. Even though Coinhive is gone, replicas and scripts of the software are still available, leaving numerous other websites exposed to potential cryptojacking.

How does Cryptojacking work?

Cybercriminals compromise the devices to install cryptojacking software. Then, the software unleashes a script in the background that initiates the mining process.

Hackers use two primary methods to get access to computers and mine cryptocurrencies. 

• By tricking the victim into clicking over a malicious link in emails that loads crypto mining code on the computer. Hackers do it through phishing-like tactics: Victims receive emails that encourage them to click on a link containing a crypto mining script. This script is completely hidden from detection, runs in the background initiating the process.
• By infecting a legitimate website or online ad with JavaScript code that auto-executes once loaded in the victim’s browser. Once victims visit the website or the infected ad pops up in their browsers, the script automatically executes. The script does not store any code on the victims’ computers. 

Hackers usually use both methods to maximize their returns. In both scenarios, the code unleashes the cryptojacking script, which runs in the background. This script runs complex mathematical problems on the victims’ devices and sends the results to a server controlled by the hacker.

Some crypto mining scripts also have worming capabilities that allow them to infect other devices and servers on a network, making them harder to identify and remove. In addition, these scripts have the potential to check if a competing crypto-mining malware already infects the device. If detected, the script disables it.

An alternative cryptojacking approach is called drive-by crypto mining. Drive-by crypto-mining involves embedding a JavaScript code into a Web page post that performs cryptocurrency mining on user machines that visit the page.

Drive-by crypto-mining also has the potential to infect Android mobile devices as well.

To achieve that, it uses a similar process as that of the desktop. In addition, some attacks can occur through a Trojan hidden in a downloaded app.

What is the step by step process of Cryptojacking?

Following is the step by step process for Cryptojacking:

1. Cybercriminals Compromise the asset

The attackers will introduce crypto mining code embedded into links or websites, and the user machine gets compromised as soon as the user clicks on them

2. The script executes

Users either click on an attachment or link to execute and run the crypto mining script or browse to a website with infected ads.

3. Cryptomining is initiated

The crypto mining script runs in the background without the user’s knowledge starting the mining process.

4. Solving algorithms using victim resources

The script uses computer resources to solve complex algorithms to mine what is called a “block”. Subsequently, these blocks add to a blockchain (the technology which stores digital information about Cryptocurrency).

5. Cryptojacker receives a cryptocurrency reward

Every time a hacker adds a new block to the chain; they receive cryptocurrency coins.

Unlike other malware, cryptojacking scripts do not damage the computers or victims’ data. Instead, they steal CPU processing resources.

For individual users, slower computer performance might not be of great significance. However, organizations with many crypto-jacked systems can incur actual costs in terms of helpdesk and IT time, which in turn is spent tracking down performance issues and replacing components or systems to solve the problem.  

What are the types of cryptojacking?

There are three different strategies or types to mine cryptocurrencies using cryptojacking:

File-Based Cryptojacking

In file-based cryptojacking, malware downloads and an executable file is run that spreads a crypto mining script throughout the IT infrastructure. It uses malicious emails to gain access to the computer. Hackers may impersonate an official entity asking the user to download an attachment to mislead them.

Following the download, the scripts run in the background initiating the mining process cryptocurrency.

Browser-Based Cryptojacking

Browser-based cryptojacking happens with browsers like Google Chrome, Mozilla, Safari, and others. Hackers create a crypto mining script using a programming language and then embed that script into numerous websites. Once the script runs, code gets downloaded onto the users’ computer automatically.

These malicious scripts are seldom embedded in ads and vulnerable and out-of-date WordPress plugins. Additionally, Cryptojacking can occur through a supply chain attack, and JavaScript libraries get compromised.

Cloud Cryptojacking

In Cloud cryptojacking, the hackers search through the code or files of an organization to find the API keys to access the cloud service. Once they gain access, they use CPU resources to mine cryptocurrency.

This may lead to a massive increase in electricity and computer power. Using this method, hackers significantly accelerate their efforts of cryptojacking to mine for currency illicitly. However, cloud services are generally complex to hijack.

How to detect Cryptojacking?

Cryptojacking has the potential to affect the entire business operation of an organization. Office spaces have thousands of computers, and the majority are high-end, fast, and capable of handling all kinds of business operations. However, it can be challenging to detecting if your organization’s IT infrastructure is compromised.

The code in crypto mining scripts can easily evade detection, which means you and your IT team must be highly vigilant and mindful about such cyber attacks.

You can use the following symptoms to detect cryptojacking successfully:

1. Decrease in system performance

One of the significant cryptojacking symptoms is a decrease in the performance of your computing devices, including laptops, desktops, tablets, and mobile devices. Be vigilant to your device running slowly, crashing, or exhibiting abysmal performance and battery drains faster than expected.

Educate your employees regarding these and notify them to report any decrease in processing to IT.

2. Overheating of systems

Cryptojacking is a resource-intensive process. It can cause computing devices to overheat. Hence cryptojacking often leads to computer damage or cuts their lifespan down.

Also, overheating devices make the fans run longer than usual to cool down the system. It would help if you observed any significant recent changes in system heatings.

3. Check system CPU usage

If you observe an increase in CPU usage while you are on a website with very little or no media content, it is a sign that cryptojacking scripts might be running. The best way to analyze this is to check your device’s central processing unit (CPU) usage using the Activity Monitor or Task Manager.

Be aware; If you notice a sudden increase in usage while browsing through a website, it might be a sign of crypto mining scripts running without your knowledge.

4. Monitor website usage

Cyber attackers are constantly looking to find vulnerable websites to embed malicious crypto-mining code. It is essential to regularly monitor your websites, webpages, or any files on the webserver.

Earlier the detection, lesser are the chances for your machines to be compromised.

5. Keep yourself updated with cryptojacking Trends

Cybercriminals constantly learn new methods to embed updated scripts onto your computer system. Be vigilant and proactive. Be aware of the latest trends to detect cryptojacking on your network and devices early.

How to prevent Cryptojacking?

The following steps will help to minimize the risk of falling prey to cryptojacking:

1. Train Your IT Team

Organizations should train their IT team to understand and detect cryptojacking. They should be aware of the first signs of an attack and take immediate steps to investigate further.

2. Educate your employees

The organization must educate employees in cybersecurity best practices, such as not clicking on unknown links in emails and only downloading trusted links. In addition, if they notice any symptoms such as overheating, machine running slowly, they should immediately report to IT.

3. Use browser extensions designed to block cryptojacking

Hackers use web browsers as the target to deploy crypto-jacking scripts. You can use specialized browser extensions such as minerBlock, No Coin, and Anti Miner to block them.

4. Use ad-blockers

Hackers use online ads to deliver cryptojacking scripts. Therefore, installing an ad blocker can be an effective means of stopping them. Ad blockers like Adblock Plus can both detect and block malicious cryptojacking code.

5. Disable javascript

Disable JavaScript while browsing online to prevent cryptojacking script from infecting your computer. However, this could also block you from using the functions that you need.

6. Perform regular malware & spyware scans

Perform regular malware and spyware scans for your devices. Do it at least once a month. Invest in a trusted software solution with a good reputation and track record. Update all your devices with the latest patches and fixes.

7. Monitor employee devices

If your employees connect their devices to the office network or systems, it could lead to infection. Ensure that their mobile software is up to date, including browser extensions and the apps.

Additionally, educate employees to follow cybersecurity best practices:

• Always install software from trusted sources only.
• Avoid suspicious websites that can host these malicious scripts.
  Organizations can block URL/IPs of known cryptojacking sites and domains of crypto-mining pools.
• Implement network system monitoring to detect excessive resource utilization.
• Avoid websites with no SSL.
• Don’t access websites that show a warning that it’s risky to continue browsing.
• Don’t click on emails with click-bait titles.
• Avoid downloading attachments from unknown sources
• Download applications from Google Play Store or Apple App Store only.

Cryptojacking may seem like a relatively harmless crime since the only thing ‘stolen’ is the power of the victim’s computer. However, we need to understand that this computing power is used without the knowledge or consent of the victim. These resources are utilized for the benefit of criminals who are illicitly creating currency.

By following cybersecurity practices and internet hygiene, you can minimize the risks of Cyrptojacking. 

We hope you could get the answers to what is cryptojacking and all related questions. If you have any suggestions or feedbacks, please do share it with us.