Cryptojacking Infection Methods: Identification and Prevention Tips

Estimated Reading Time: 10 minutes

Just a short year ago, malicious cryptocurrency mining wasn’t even recognized as a cybersecurity threat. In the first quarter of 2018, cryptocurrency miners surpassed the reigning cyberthreat, ransomware, as the most prevalent cyber attack. Over the past year, cryptojacking has regularly made major headlines as hackers shifted their attention away from traditional tactics—in favor of this “compromise and profit” scheme. The cryptojacking epidemic has become so widespread that even Google announced that it will ban all cryptomining extensions from the Chrome Web Store.

There are a variety of reasons for the explosive growth of cryptominers. With easy-to-use JavaScript tools like Coinhive, as well as the advantages of anonymity offered by many cryptocurrencies—cryptojacking significantly reduces the effort-to-gain ratio for bad actors. By infecting machines and enlisting others to mine crypto, the operational costs and resources requirements for hackers are extremely low. And lastly, cryptojacking all but removes the need to interact with any victims in order to profit (as is the case in many ransomware campaigns).

Here’s a look at how cryptocurrency mining overtook ransomware over a short six month period between 2017 and 2018. The chart comes from Infogram and represents a dramatic shift in cyber tactics.

While cryptojacking is not as outright damaging as other cyber attacks or security breaches—it does represent a serious security violation. It is also a widespread problem that produces a number of negative effects for businesses of all sizes. Some of the harmful effects of cryptojacking include increased electricity consumption (and therefore costs), decreased device performance and lifespan, an increased burden on IT representatives for remediation, brand safety concerns, and more.

For these reasons and more—it is important that your organization and IT team have a strategy and training plan to combat the growing cryptocurrency threat. In the remainder of this blog, we’ll cover common infection methods, harmful effects of cryptojacking, signs and symptoms of compromise, and provide some general guidelines on how to protect your organization and stay ahead of cryptojacking threats.

A Quick Recap of How Cryptocurrency Mining Works

Cryptocurrency Mining is the validation of crypto-related transactions. For contributing computing resources to validate transactions, miners are awarded fractions of the digital currency for hashes completed.

In order to circulate new cryptocurrency and validate existing transactions, miners must solve complicated mathematical problems. Accomplishing this requires a significant amount of computing power. After solving the problem, the miner receives cryptocurrency as his/her reward. These digital coins can be cashed out for local currencies at online cryptocurrency exchanges.

Malicious Cryptocurrency Mining, or Cryptojacking, is the unauthorized use of a user’s device to mine cryptocurrencies.

But there is nothing inherently malicious about mining cryptocurrency. It can be a legitimate and viable way to make money and/or monetize a website. The distinguishing factor between malicious coinmining efforts and legitimate implementations is whether or not the cryptominer notifies and/or receives consent from the user/owner of the machine to utilize that system’s resources.

For more on cryptocurrency mining and malicious implementations, take a look at our previous blog What is Malicious Cryptocurrency Mining?

READ: What is Malicious Cryptocurrency Mining?

Different Forms of Cryptojacking Infection

Malicious cryptojacking falls into one of three primary varieties—as we’ll outline by their method of infection.

In Browser Javascript Mining

The first form of cryptojacking we’ll cover is browser-based JavaScript mining. This occurs when a visitor connects to a website that is hosting cryptomining javascript such as Coinhive, CoinImp, or others. While connected to the website, the mining script devotes resources from the client machine (CPU cycles and energy) to begin solving computations and mining for cryptocurrency. As long as the the visitor remains on the website reading an article, watching a video, or playing a webgame—the mining script will continue to execute and mine for cryptocurrency within the browser.

How did the mining script get onto the website in the first place you’re wondering? There are a few means by which this form of cryptojacking occurs.

First, the owner of the website may have installed the coinmining javascript for monetization purposes—similar to how news sites and popular blogs monetize their content by allowing advertisements to be placed on the sides of webpages. If the owner of the website has failed to properly notify and receive consent from visitors who are now mining crypto—voila—we have cryptojacking.

Alternatively, a hacker may have compromised the website—whether because it was poorly secured, through a backdoor, etc. In this case, the hacker may have then installed a cryptomining script along with relevant banking/configuration information to have all mining proceeds deposited into a digital wallet/account of their choosing. Now, legitimate traffic to the site begins unwittingly mining cryptocurrency for the hacker or bad actor.

The last implementation of browser-based JavaScript mining we’ll cover is one we’ve seen used along with other exploits to provide bad actors with a powerful and complete cryptomining fraud network. In this situation, a bad actor will generate a site (or multiple) of their own and install cryptocurrency mining software to capitalize on all traffic. Then, they will employ a variety of click fraud tactics to drive traffic to their sites and profit.

While browser-based JavaScript cryptojacking is widespread and mostly impacts end users—it is fairly straightforward to identify and remedy. More on this later.

Local Device Infection (Drive By or Otherwise)

More nefarious are the cases in which a device is infected by acquiring a piece of malware upon visiting a site. This may happen if a user initiates the download of an unverified or compromised download—though it can even happen just by connected to a compromised site. In the case of a “drive by” download—the site can download a piece of malicious software in the background, install itself, and begin executing the cryptojacking script without any warning or interaction on part of the user.

Once infected, the local machine will mine crypto for the bad actor until the application process is stopped or the malware is removed entirely. Over the past year, coinminers have grown increasingly sophisticated to avoid malicious detection. In some cases, the cryptojacking malware will scan for anti-virus and other protection software and/or only run at lower speeds to avoid using too many computer resources—which increase the odds of it being detected.

This type of infection is more difficult and time-consuming to remedy—especially as many forms of malware will attempt to infect other applications on the device, as well as other devices on the network.

READ: Network Security, Malicious Threats, and Common Computer Definitions

Compromised and Infected Servers

Early in 2018, a cryptojacking campaign called “JenkinsMiner” was found that had siphoned off over $3 million worth of Monero cryptocurrency by infecting Jenkins Continuous Integration servers worldwide. By compromising high powered machines with more CPU resources than end user devices—in this case Java-based Jenkins servers—hackers have been able to ratchet up their profits without needing to invest in expensive equipment or the pay the electricity bill.

In this case, hackers look for common exploits—such as flaws in authentication or serialization—or poke around for machines with weak passwords and protections. Once infected, the machines can dedicate a significant amount of resources to coinmining efforts—and if left unnoticed for long periods of time can accumulate huge profits for bad actors. Sometimes this form of infection occurs because of poor passwords or due to misconfigured network settings.

Even more concerning when a server or multiple machines are found to be compromised is the possibility that the intrusion runs deeper within the organization.

In either case, it’s critical to routinely monitor machine and resource usage for all computers and look for any spikes or resource increases that may be related to cryptomining or other malware operations.

The Effects of Cryptojacking

Cryptojacking scripts are unlike other kinds of malware in that they do not directly damage the victims’ computers or data. Instead, cryptojackers steal CPU processing resources and electricity from victims. Over longer periods of time, high levels of use and increased temperature caused by cryptojacking can significantly expedite the general wear on a machine—thereby shortening the device’s lifespan.

Cryptomining scripts are created for browsers by companies like Coinhive. After creating these scripts, Coinhive sells them to businesses for a percentage of the cut.

Affected computers and device use its own resources to solve the mathematical puzzles necessary to mine digital currency, which leads to a slow-running system. Furthermore, the mining process requires a considerable amount of energy therefore, the electricity necessary during mining operations increases.

For an individual user, a slow-running computer may just be annoying; however, an organization that is running on cryptojacked systems loses money and operational capacity. This loss of money results due to the time that is spent on remediation and security while attempting to resolve performance issues. In addition, the increase in energy use and the money spent replacing systems or components as a means to address these problems is costly.

Cryptojacking Signs and Symptoms

Whether an end-user device or server, the signs and symptoms of a malware-laden system mining cryptocurrency are similar.

Employees should be aware of the signs and symptoms associated with cryptojacking as well as the protocol to follow within your organization should they suspect or find that their machines have been infected with cryptojacking malware.

Signs and Symptoms of Cryptojacking include:

Slow Computer Performance: An increase in help desk complaints due to slow computer performance may be an indication that an organization’s system has been cryptojacked.
Increase in CPU or Power Usage: Monitor CPU activity because an increase in CPU power use will be evident. This drastic increase in power use may result in overheating. Stopping the unauthorized cryptocurrency mining is vital because this overheating process can greatly reduce the lifespan of a device.
Overheating/CPU Failure: Cryptojacking malware may cause overheating in systems. If the machine cannot stay cool or if temperature exceeds a certain threshold, CPUs and other components may fail.
Battery Drain: a compromised device’s battery usually drains quickly.

How to Avoid Being Cryptojacked

Many principles that are used to avoid web-based vulnerabilities are effective for preventing cryptojacking as well.

The techniques, tools and browser plugins available to help prevent cryptojacking include:

** – Important for everyone. These are included in both lists.

For Network Administrators, Engineers, & IT Teams

Monitor computer resources and activity for elevated CPU/GPU usage.
Monitor machine energy consumption.
Block the IP addresses of coinmining sites.
Ensuring cloud environments and containers are configured properly.
Integrate security into each stage of development.
** Install the latest software updates and patches for your operating system and all applications—particularly web browsers.
Include information about the phishing-type cryptojacking threats in employee security awareness training.
** Incorporate antivirus software that is capable of detecting cryptomining in the organization’s endpoint protection.
Implement strong web-filtering tools like DNS filtering and zveloDB.
** Block pages known to deliver cryptojacking scripts.
Create a Content Security Policy to prevent code injection attacks.
Create a mobile device management (MDM) protocol. Bring-your-own-device (BYOD) policies can make preventing illicit cryptomining extremely challenging; however, employing an MDM protocol can assist in controlling the extensions and apps on users’ devices.

For Standard Users / Everyday Browsing

Use browser extensions designed to block coinmining (i.e., MinerBlock or No Coin).
Use privacy-focused ad blockers (i.e., Ad Blocker Plus, Ghostery, etc.).
Turn off the JavaScript option in the browser or using one of the free software extensions created to block script (i.e., uBlock Origin, ScriptSafe, etc.).
Move to a privacy-centric browser (i.e., Brave, Epic Privacy Browser).
** Install the latest software updates and patches for your operating system and all applications—particularly web browsers.
** Incorporate antivirus software that is capable of detecting cryptomining in the organization’s endpoint protection.
** Block pages known to deliver cryptojacking scripts.

The best advice we can give you to minimize the impact of malicious cryptocurrency mining for your organization is to continuously monitor your resources and to provide general education to all employees so that they can avoid being infected in the first place. If a serious compromise does occur—employees would then be equipped to properly report the matter. Otherwise, general IT practices such as web filtering solutions, firewalls, routine backups, and patching will all assist in minimizing any damage caused by malicious cryptocurrency mining.

While the mining process itself does not compromise the security of an organization, per se, the presence of an unauthorized coinmining operation indicates that there are problems with the organization’s cybersecurity and defenses. As such, it is critical to implement policies and procedures designed to continually reassess and strengthen your organization’s security posture.

How Can zvelo Help Protect Your Network and End Users

Early in 2018, zvelo responded to the rapid rise of cryptojacking efforts by adding support for the identification and categorization of websites compromised and/or and/or maliciously mining cryptocurrency without a notification or proper consent from the end user. What does that mean? It means that our customers—and their end users who are supported by the zveloDB™ URL Database are better protected from cryptojacking while browsing the internet. It also allows our partners in the ad tech industry to combat ad fraud and protect online advertisers from brand-safety pitfalls associated with advertising on compromised websites.

Cryptojacking, or Cryptocurrency Mining, is just one of ten Malicious website categories identified and classified by zvelo—providing advanced threat protection for our global network of end users across a wide range of industries including cyber threat intelligence, network and cybersecurity, ad tech, subscriber analytics, and more! Learn more about zveloDB — our industry-leading URL database for web categorization and DNS filtering, cybersecurity, parental controls, mobile service providers and subscriber analytics, brand safety and contextual targeting, and more.