Endpoint

11/8/2017
11:20 AM
50%
50%

Cybercriminals Employ 'Driveby' Cryptocurrency Mining

Mining digital coins is a legal activity, but cybercriminals have discovered a new way to inject malware to perform the task.

Cyberthieves are using a new technique to cash in on cryptocurrency mining.

With so-called driveby cryptojacking, the attacker abuses browser-based cryptocurrency mining unbeknownst to the users and website operators, new research from Malwarebytes shows. 

Cryptocurrency mining is like panning for gold in the digital age and is considered legal. It demands hordes of computing power to process complex mathematical calculations, which in turn is used to create cryptocurrencies like Bitcoin, Monero, Zcash, and others.

In the past year, cybercriminals have used cryptojacking to snare needed computing power via the browser, says Jerome Segura, lead malware intelligence analyst for Malwarebytes.

This browser-based mining, which uses a simple JavaScript library and is sometimes called JavaScript Miners or JSMiners, is rapidly taking off with the bad guys since it was introduced in mid-September by Coinhive. JSMiners is an easy way for bad guys to infect websites via driveby cryptojacking as well, Segura notes, and it can potentially infect far more computers when they visit heavily trafficked websites than directly infecting victims' devices.

Then and Now

Illicit cryptocurrency mining initially began in 2011, a few years after the birth of Bitcoin, Segura says. Cybercriminals up until last year would largely rely on infecting users' computers without their knowledge to hijack, or harvest, the devices' compute power. They typically used phishing scams to entice users to download malicious attachments or visit nefarious websites, where they could automatically load malware onto victims' machines.

Once the device is infected - or devices as in the case of the Bondnet botnet that infected more than 15,000 machines at major institutions, including high-profile companies, universities, and city councils earlier this year - the computing power is used to crunch mathematical calculations and create digital currency.

Last year, however, Coinhive's new technique for mining cryptocurrency emerged and the bad guys jumped on it, Segura says. Coinhive launched a JavaScript-based cryptocurrency mining service that allows website operators to legitimately use their visitors' CPU power to mine for Monero cryptocurrency, with or without their knowledge. 

Coinhive has since released a new API to allow website operators to seek users' permission before harvesting their CPU power, however.

But cybercriminals quickly latched onto Coinhive's technology and began injecting its API into compromised websites, such as WordPress and Magento, without knowledge or consent from site operators, according to Malwarebytes' new report.

"It's easy to have great reach with this browser-based cryptocurrency mining. The criminals would target sites that get lots of traffic and inject malicious script onto the site," says Segura. "Anyone connecting to the website will run the Javascript that can instruct the computer or phone to run the coin miner just like they were running a YouTube video."

Coinhive is relatively easy to add to a site, given it only requires copying a few lines of JavaScript and embedding it into the site, says Segura.

The bad guys lose access to users harvested computer power each time they log off of an infected site. So cybercriminals like to target sites where visitors linger for hours, Segura notes.

Sizing Up the Risk

Security professionals facing an onslaught of attacks and alerts, however, aren't likely to prioritize driveby cryptojacking because the amount of harm it creates to the enterprise is minimal, Segura acknowledges. Even so, enterprises should be sure to remove and block driveby cryptojacking from their websites.

"Hacking websites and mining digital coins is further fueling cybercriminals," Segura says. "As a security professional, I look at the potential scale and how this can affect millions of people and it is a big problem because it can generate a lot of revenue for criminals, and we want to put a dent in it and stop it."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Cracking 2FA: How It's Done and How to Stay Safe
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2018
What Israel's Elite Defense Force Unit 8200 Can Teach Security about Diversity
Lital Asher-Dotan, Senior Director, Security Research and Content, Cybereason,  5/21/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Shhh!  They're watching... And you have a laptop?  
Current Issue
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-17158
PUBLISHED: 2018-05-24
Some Huawei smart phones with the versions before Berlin-L21HNC185B381; the versions before Prague-AL00AC00B223; the versions before Prague-AL00BC00B223; the versions before Prague-AL00CC00B223; the versions before Prague-L31C432B208; the versions before Prague-TL00AC01B223; the versions before Prag...
CVE-2017-17315
PUBLISHED: 2018-05-24
Huawei DP300 V500R002C00; RP200 V600R006C00; TE30 V100R001C10; V500R002C00; V600R006C00; TE40 V500R002C00; V600R006C00; TE50 V500R002C00; V600R006C00; TE60 V100R001C10; V500R002C00; V600R006C00 have a numeric errors vulnerability. An unauthenticated, remote attacker may send specially crafted SCCP m...
CVE-2018-5485
PUBLISHED: 2018-05-24
NetApp OnCommand Unified Manager for Windows versions 7.2 through 7.3 are susceptible to a vulnerability which could lead to a privilege escalation attack.
CVE-2018-5487
PUBLISHED: 2018-05-24
NetApp OnCommand Unified Manager for Linux versions 7.2 through 7.3 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service bound to the network, and are susceptible to unauthenticated remote code execution.
CVE-2018-7902
PUBLISHED: 2018-05-24
Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON injection vulnerability. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Due to insufficient verification of the input, this could be exploited to obtain the management privile...