Cryptomining: the new lottery for cybercriminals

Cryptomining: the new lottery for cybercriminals
featured image

This article originally appeared in CSO on March 14, 2018

Cryptomining has surpassed even ransomware as the revenue generator of choice according to a Cisco Talos report, which claims crypto-mining botnets can earn hackers up to $500 dollars a day and a dedicated effort could equate to more than $100,000 dollars a year. Representing the perfect balance of stealth and wealth for cybercriminals and some unscrupulous, but legitimate online businesses, cryptomining is quickly becoming a major concern for enterprise IT who frequently don’t know their digital assets have been compromised.

With stringent privacy laws coming online in 2018, it is imperative that organizations know all partners that execute code on the website. This information is critical for not only identifying the rogue source but also communicating expectations and enforcing compliance—key mitigating factors when it comes to regulatory penalties.

Criminals cash out

Hackers are able to break the bank by mining for cryptocurrency which requires mass computing power to solve complex mathematical problems. Once solved, cryptocurrency is exchanged for the answers.

Cryptomining comes in two forms: device infection or website execution. In both forms, CPU power is hijacked for extended periods of time even when the device or browser session is not in use. In most cases, devices are surreptitiously infected via compromised website code—advertising or third-party content—that drops and launches a malicious JavaScript file onto the user’s device. The file installs the miner and starts to work with many consumers never realizing their device’s processing power is being siphoned to mine for cryptocurrency, and mobile users may notice an increase in data consumption.

No harm no foul?

Several argue that cryptomining is a victimless crime. It’s easy to use automated bots to siphon processing power without user interaction, which is hassle for ransomware incidents. What’s the harm in accessing underutilized processing power? Plenty. In a worst-case scenario, unthrottled processing can unexpectedly drain batteries and even damage devices. It’s more likely that device owners feel cheated; someone is leveraging their property without permission and compensation.

Website operators bear the blame, for not only consumer discontent but also regulatory violations. The ability to inject code into a website signals a weak security posture, which can lead to additional exploits of consumer data. With tightened consumer data privacy and protection regulations coming into force, the threat of regulatory penalties is real.

To put this threat into perspective: 220 popular websites have recently been found to contain cryptomining code, according to research from AdGuard. Even Tesla isn’t safe.

Detecting the crypto crime

A variety of scams are now in play, but an emerging one is particularly crafty. Predominantly targeting the mobile environment, this cryptominer executes behind the presentation of a gift card popup.

As expected, the user is redirected to a retail landing page upon clicking a digital advertisement. At an undetermined cadence, the redirection process also injects superfluous JavaScript that presents a “FREE” gift card popup purporting to be from several well-known brands. Concentrated at the bottom of the code is a long string of alphanumeric gibberish which executes the Monero miner. This pairing is likely an obfuscation attempt, if the popup is discovered and blocked then the miner would be overlooked.

Most consumers will not realize their device has been infected. If anything, they may notice performance lags but not think twice about the cause. To detect this cryptominer, a website operator would need to perform a line-by-line code analysis to identify and remediate the root cause. Knowing all digital partners would truncate this extensive process making it easier to discover anomalous code, possibly at the time of compromise.

The root of all evil is in the code

With more than 500 million PCs actively mining cryptocurrency worldwide, you have to wonder how many compromised websites exist. All it takes is the insertion of a small crypto mining script on a website and the operation is up and running. The challenge for enterprise websites is knowing if and when this occurs—a daunting prospect for the dynamic nature of today’s websites. It all starts with documenting the website partners executing in the website.

Enterprise IT is flying blind. More than 80% of code rendering on a website is provided by third parties. Identifying onsite vendors and enforcing best practices is the foundation for a cleaner, safer Internet environment that can lock out nefarious activities such as cryptomining and ensure the online safety of customers and the integrity of the corporate brand.