Cryptojacking
{{Short description|Hijacking computers to mine currency}}
Cryptojacking is the act of exploiting a computer to mine cryptocurrencies, often through websites,{{Cite web|last=Larson|first=Selena|date=2018-02-22|title=Cryptojackers are hacking websites to mine cryptocurrencies|url=https://money.cnn.com/2018/02/22/technology/cryptojacking-mining-tesla-websites/index.html|access-date=2021-04-17|website=CNNMoney|archive-date=2022-12-09|archive-url=https://web.archive.org/web/20221209040241/https://money.cnn.com/2018/02/22/technology/cryptojacking-mining-tesla-websites/index.html|url-status=live}}{{Cite web |last=Hatmaker |first=Taylor |date=8 May 2018 |title=Cryptojacking malware was secretly mining Monero on many government and university websites |url=https://techcrunch.com/2018/05/08/coinhive-malware-may-troy-mursch/ |access-date=2023-07-09 |website=TechCrunch |language=en-US |archive-date=2023-07-09 |archive-url=https://web.archive.org/web/20230709085226/https://techcrunch.com/2018/05/08/coinhive-malware-may-troy-mursch/ |url-status=live }}{{Cite journal |last1=Lachtar |first1=Nada |last2=Elkhail |first2=Abdulrahman Abu |last3=Bacha |first3=Anys |last4=Malik |first4=Hafiz |date=2020-07-01 |title=A Cross-Stack Approach Towards Defending Against Cryptojacking |journal=IEEE Computer Architecture Letters |volume=19 |issue=2 |pages=126–129 |doi=10.1109/LCA.2020.3017457 |s2cid=222070383 |issn=1556-6056|doi-access=free }} against the user's will or while the user is unaware.{{Cite journal|last1=Caprolu|first1=Maurantonio|last2=Raponi|first2=Simone|last3=Oligeri|first3=Gabriele|last4=Di Pietro|first4=Roberto|date=2021-04-01|title=Cryptomining makes noise: Detecting cryptojacking via Machine Learning|journal=Computer Communications|language=en|volume=171|pages=126–139|doi=10.1016/j.comcom.2021.02.016|s2cid=233402711|doi-access=free|arxiv=1910.09272}} One notable piece of software used for cryptojacking was Coinhive, which was used in over two-thirds of cryptojacks before its March 2019 shutdown.{{Cite web|title=Coinhive domain repurposed to warn visitors of hacked sites, routers|url=https://www.bleepingcomputer.com/news/security/coinhive-domain-repurposed-to-warn-visitors-of-hacked-sites-routers/|access-date=2021-04-17|website=BleepingComputer|language=en-us|archive-date=2022-12-09|archive-url=https://web.archive.org/web/20221209040222/https://www.bleepingcomputer.com/news/security/coinhive-domain-repurposed-to-warn-visitors-of-hacked-sites-routers/|url-status=live}} The cryptocurrencies mined the most often are privacy coins—coins with hidden transaction histories—such as Monero and Zcash.{{Cite web|last=Hwang|first=Inyoung|title=What is cryptojacking? How to detect mining malware - MediaFeed|url=https://mediafeed.org/what-is-cryptojacking-how-to-detect-mining-malware/|access-date=2021-05-11|website=mediafeed.org|date=7 May 2021|language=en-US|archive-date=2022-12-09|archive-url=https://web.archive.org/web/20221209040220/https://mediafeed.org/what-is-cryptojacking-how-to-detect-mining-malware/|url-status=live}}
Like most malicious attacks on the computing public, the motive is profit, but unlike other threats, it is designed to remain completely hidden from the user. Cryptojacking malware can lead to slowdowns and crashes due to straining of computational resources.{{cite web |url=https://www.zdnet.com/article/brutal-cryptominer-crashes-your-pc-when-discovered/ |title=Brutal cryptocurrency mining malware crashes your PC when discovered |website=ZDNet |format= |accessdate= |archive-date=2022-12-09 |archive-url=https://web.archive.org/web/20221209042118/https://www.zdnet.com/article/brutal-cryptominer-crashes-your-pc-when-discovered/ |url-status=live }}
Bitcoin mining by personal computers infected with malware is being challenged by dedicated hardware, such as FPGA and ASIC platforms, which are more efficient in terms of power consumption and thus may have lower costs than theft of computing resources.{{cite web |date=31 October 2013 |title=Bitcoin's Computing Crisis |url=https://spectrum.ieee.org/bitcoins-computing-crisis |url-status=live |archive-url=https://web.archive.org/web/20210514134058/https://spectrum.ieee.org/computing/networks/bitcoins-computing-crisis |archive-date=14 May 2021 |access-date=8 July 2023}}
Notable events
In June 2011, Symantec warned about the possibility that botnets could mine covertly for bitcoins.{{cite web |author=Peter Coogan |url=https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=141592a6-e1f5-4aa4-a049-11dc42380516&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments |title=Bitcoin Botnet Mining |work=Symantec.com |date=17 June 2011 |access-date=24 January 2012 |archive-date=7 August 2019 |archive-url=https://web.archive.org/web/20190807222937/https://www.symantec.com/connect/blogs/bitcoin-botnet-mining |url-status=live }} Malware used the parallel processing capabilities of GPUs built into many modern video cards.{{cite news |url=https://www.theregister.co.uk/2011/08/16/gpu_bitcoin_brute_forcing/ |title=Malware mints virtual currency using victim's GPU |work=The Register |date=16 August 2011 |access-date=31 October 2014 |author=Goodin, Dan |archive-date=6 April 2023 |archive-url=https://web.archive.org/web/20230406093949/http://www.theregister.co.uk/2011/08/16/gpu_bitcoin_brute_forcing/ |url-status=live }} Although the average PC with an integrated graphics processor is virtually useless for bitcoin mining, tens of thousands of PCs laden with mining malware could produce some results.{{cite web |last1=Ryder |first1=Greg |title=All About Bitcoin Mining: Road To Riches Or Fool's Gold? |url=http://www.tomshardware.com/reviews/bitcoin-mining-make-money,3514.html |publisher=Tom's hardware |date=9 June 2013 |access-date=18 September 2015 |archive-date=14 April 2023 |archive-url=https://web.archive.org/web/20230414161026/https://www.tomshardware.com/reviews/bitcoin-mining-make-money,3514.html |url-status=live }}
In mid-August 2011, bitcoin mining botnets were detected,{{cite web |url=http://www.infosecurity-magazine.com/view/20211/researcher-discovers-distributed-bitcoin-cracking-trojan-malware/ |title=Infosecurity - Researcher discovers distributed bitcoin cracking trojan malware |publisher=Infosecurity-magazine.com |date=19 August 2011 |access-date=24 January 2012 |archive-date=3 July 2014 |archive-url=https://web.archive.org/web/20140703013154/http://www.infosecurity-magazine.com/view/20211/researcher-discovers-distributed-bitcoin-cracking-trojan-malware/ |url-status=live }}{{Cite web |last=Lee |first=Timothy B. |date=2011-08-18 |title=More Bitcoin malware: this one uses your GPU for mining |url=https://arstechnica.com/tech-policy/2011/08/symantec-spots-malware-that-uses-your-gpu-to-mine-bitcoins/ |access-date=2023-07-08 |website=Ars Technica |language=en-us |archive-date=2017-08-22 |archive-url=https://web.archive.org/web/20170822222545/https://arstechnica.com/tech-policy/2011/08/symantec-spots-malware-that-uses-your-gpu-to-mine-bitcoins/ |url-status=live }}{{cite web |title=Trojan.Badminer |url=http://www.symantec.com/security_response/writeup.jsp?docid=2011-081115-5847-99&tabid=2 |url-status=unfit |archive-url=https://web.archive.org/web/20141129030053/http://www.symantec.com/security_response/writeup.jsp?docid=2011-081115-5847-99&tabid=2 |archive-date=2014-11-29 |access-date=2014-11-16 |publisher=Symantec}} and less than three months later, bitcoin mining trojans had infected Mac OS X.{{cite web |url=http://www.techworld.com.au/article/405849/mac_os_x_trojan_steals_processing_power_produce_bitcoins |title=Mac OS X Trojan steals processing power to produce Bitcoins: Security researchers warn that DevilRobber malware could slow down infected Mac computers |author=Lucian Constantin |publisher=IDG communications |work=TechWorld |date=1 November 2011 |access-date=24 January 2012 |archive-date=18 November 2016 |archive-url=https://web.archive.org/web/20161118230651/http://www.techworld.com.au/article/405849/mac_os_x_trojan_steals_processing_power_produce_bitcoins |url-status=live }}
In April 2013, electronic sports organization E-Sports Entertainment was accused of hijacking 14,000 computers to mine bitcoins; the company later settled the case with the State of New Jersey.{{cite news |url=https://www.bbc.co.uk/news/technology-25014477 |title=E-Sports Entertainment settles Bitcoin botnet allegations |date=20 November 2013 |access-date=24 November 2013 |work=BBC News |archive-date=7 November 2022 |archive-url=https://web.archive.org/web/20221107175231/https://www.bbc.co.uk/news/technology-25014477 |url-status=live }}
German police arrested two people in December 2013 who customized existing botnet software to perform bitcoin mining, which police said had been used to mine at least $950,000 worth of bitcoins.{{cite news |author1=Mohit Kumar |title=The Hacker News The Hacker News +1,440,833 ThAlleged Skynet Botnet creator arrested in Germany |url=http://thehackernews.com/2013/12/alleged-skynet-botnet-creator-arrested.html |access-date=8 January 2015 |date=9 December 2013 |archive-date=30 May 2019 |archive-url=https://web.archive.org/web/20190530193218/https://thehackernews.com/2013/12/alleged-skynet-botnet-creator-arrested.html |url-status=live }}
For four days in December 2013 and January 2014, Yahoo! Europe hosted an ad containing bitcoin mining malware that infected an estimated two million computers using a Java vulnerability.{{cite news |first=Shane |last=McGlaun |title=Yahoo malware turned Euro PCs into bitcoin miners |url=http://www.slashgear.com/yahoo-malware-turned-euro-pcs-into-bitcoin-miners-09312529/ |access-date=8 January 2015 |date=9 January 2014 |publisher=SlashGear |archive-date=30 May 2019 |archive-url=https://web.archive.org/web/20190530192626/https://www.slashgear.com/yahoo-malware-turned-euro-pcs-into-bitcoin-miners-09312529/ |url-status=live }}{{Cite news |last=Hern |first=Alex |date=2014-01-08 |title=Yahoo malware turned European computers into bitcoin slaves |language=en-GB |work=The Guardian |url=https://www.theguardian.com/technology/2014/jan/08/yahoo-malware-turned-europeans-computers-into-bitcoin-slaves |access-date=2023-07-08 |issn=0261-3077 |archive-date=2016-12-09 |archive-url=https://web.archive.org/web/20161209073430/https://www.theguardian.com/technology/2014/jan/08/yahoo-malware-turned-europeans-computers-into-bitcoin-slaves |url-status=live }}
Another software, called Sefnit, was first detected in mid-2013 and has been bundled with many software packages. Microsoft has been removing the malware through its Microsoft Security Essentials and other security software.{{cite news |author1=Liat Clark |title=Microsoft stopped Tor running automatically on botnet-infected systems |url=https://www.wired.co.uk/news/archive/2014-01/20/microsoft-removes-tor |access-date=8 January 2015 |date=20 January 2014 |archive-date=18 October 2022 |archive-url=https://web.archive.org/web/20221018045017/https://www.wired.co.uk/news/archive/2014-01/20/microsoft-removes-tor |url-status=live }}
Several reports of employees or students using university or research computers to mine bitcoins have been published.{{cite news |last1=Hornyack |first1=Tim |title=US researcher banned for mining Bitcoin using university supercomputers |url=http://www.pcworld.com/article/2360840/us-researcher-banned-for-mining-bitcoin-using-university-supercomputers.html |access-date=13 June 2014 |work=PC world.com |publisher=IDG Consumer & SMB |date=6 June 2014 |archive-date=7 March 2019 |archive-url=https://web.archive.org/web/20190307032015/https://www.pcworld.com/article/2360840/us-researcher-banned-for-mining-bitcoin-using-university-supercomputers.html |url-status=live }} On February 20, 2014, a member of the Harvard community was stripped of his or her access to the university's research computing facilities after setting up a Dogecoin mining operation using a Harvard research network, according to an internal email circulated by Faculty of Arts and Sciences Research Computing officials.{{Cite news |last=Delwiche |first=Theodore R. |date=February 20, 2014 |title=Harvard Research Computing Resources Misused for 'Dogecoin' Mining Operation |work=The Harvard Crimson |url=http://www.thecrimson.com/article/2014/2/20/harvard-odyssey-dogecoin/ |access-date=December 9, 2022 |archive-date=December 25, 2022 |archive-url=https://web.archive.org/web/20221225040528/https://www.thecrimson.com/article/2014/2/20/harvard-odyssey-dogecoin/ |url-status=live }}
Ars Technica reported in January 2018 that YouTube advertisements contained JavaScript code that mined the cryptocurrency Monero.{{cite web|url=https://arstechnica.com/information-technology/2018/01/now-even-youtube-serves-ads-with-cpu-draining-cryptocurrency-miners|title=Now even YouTube serves ads with CPU-draining cryptocurrency miners|date=January 26, 2018|work=ArsTechnica|access-date=December 9, 2022|archive-date=January 27, 2023|archive-url=https://web.archive.org/web/20230127104714/https://arstechnica.com/information-technology/2018/01/now-even-youtube-serves-ads-with-cpu-draining-cryptocurrency-miners/|url-status=live}}
In 2021, multiple zero-day vulnerabilities were found on Microsoft Exchange servers, allowing remote code execution. These vulnerabilities were exploited to mine cryptocurrency.{{Cite web|last=Palmer|first=Danny|title=Cyber criminals are installing cryptojacking malware on unpatched Microsoft Exchange servers|url=https://www.zdnet.com/article/free-money-cyber-criminals-are-installing-cryptojacking-malware-on-unpatched-microsoft-exchange-servers/|access-date=2021-04-17|website=ZDNet|language=en|archive-date=2023-01-12|archive-url=https://web.archive.org/web/20230112184123/https://www.zdnet.com/article/free-money-cyber-criminals-are-installing-cryptojacking-malware-on-unpatched-microsoft-exchange-servers|url-status=live}}
Detection
Traditional countermeasures of cryptojacking are host-based and not suitable for corporate networks. A potential solution is a network-based approach called Crypto-Aegis, which uses machine learning to detect cryptocurrency activities in network traffic, even when encrypted or mixed with non-malicious data.{{Cite journal |last=Caprolu |first=Maurantonio |date=2021 |title=Cryptomining makes noise: Detecting cryptojacking via Machine Learning |journal=Computer Communications |volume=171 |pages=126–139|doi=10.1016/j.comcom.2021.02.016 |arxiv=1910.09272 }}
References
{{reflist}}
{{Information security}}