As crypto-currencies rise in value and popularity, cyber criminals are looking to cash in through crypto-jacking. Alongside users who are trying to earn money legitimately by mining these coins, cyber criminals are developing tools to hijack digital currencies, or are stealing computer resources owned by Internet users to mine crypto-currency for themselves.
Cyber criminals are attracted to crypto-jacking due to two unique features, says Jessica Ortega, a member of the SiteLock research team. "Firstly, it is a symptomless attack from the perspective of the Web site owner, meaning crypto-jacking doesn't change the function or appearance of a Web site, such as causing slowness or defacements. This makes it harder to detect, causing crypto-jacking malware to remain on Web sites for longer periods of time and thus generating more profit."
Secondly, she says crypto-jacking attacks require only one or two scripts to deploy. "They are very easy to deploy once an attacker has gained access to the Web site's files using a backdoor file or vulnerability. This allows cyber criminals to automate the deployment of these attacks and infiltrate large numbers of sites quickly and quietly, maximising their profitability."
How it works
According to Ortega, crypto-jacking usually happens in one of two ways. The first method is to gain direct unauthorised access to a Web site's files and inject malicious code that mines for crypto-currency on visitors' computers. The other is to upload crypto-jacking infected ads to online ad networks.
"When visitors view a Web site infected with crypto-jacking scripts, their browser automatically runs the malicious script, causing the visitor's computer to dedicate resources to mining crypto-currency. The currency is 'mined' through a process of solving complex mathematical problems and is then sent to accounts controlled by cyber criminals."
Harder to detect
The easiest and most effective way of preventing crypto-jacking infections is to employ a malware scanner, she says.
"Using a malware scanner that proactively scans the Web site for malicious and suspicious code, and automatically removes any that is detected, will ensure the Web site is unable to mine crypto-currency on users' local computers. Moreover, protecting Web sites with a Web application firewall (WAF) will prevent malicious bots and bad actors from being able to access the site in order to launch crypto-jacking attacks."
But unlike other common types of malware, such as ransomware or phishing, crypto-mining has many legitimate users, which makes it difficult to identify the malware. Many legitimate mining scripts are falsely identified as malicious, and these false positives can hurt businesses that purposefully use mining to their benefit.
In addition, although crypto-jacking is frequently a symptomless attack from the Web site owner's perspective, from the visitor's perspective, crypto-jacking causes machines to slow down and browsers to crash. "Users experiencing these symptoms might well leave the Web site in question without ever reporting the issue, meaning Web site owners remain none the wiser."
She says this is why effective automated detection is crucial. "As crypto-currency popularity rises, so too will the challenges of identifying malicious and non-malicious crypto-currency mining applications."
Preventing false positives
It is important for the engineers that build anti-malware scanners to take precautions when identifying crypto-mining scripts, she says. "Flagging an intentional crypto-currency miner as malicious could take that miner offline, costing the Web site owner time and money. Engineers can take precautions by using context clues like file placement, crypto-currency wallets, and URLs belonging to known bad actors to help avoid mistakes when analysing crypto-miners."
Although the onus for identifying false positives lands on security firms and malware scanners, there are steps that Web site owners can take to facilitate this process, she says. "It is critical for Web sites using legitimate crypto-mining scripts to gain consent from their visitors prior to executing the scripts. Most crypto-currency mining packages include a consent and warning script, and by using this feature, malware scanners will pick up the legitimate scripts and avoid flagging related files as malicious."
"While all indications are that crypto-jacking is not just another trend, malware and cyber threats change every day," notes Ortega.
"Protecting businesses and Web sites from cyber threats must extend beyond protection from the latest trends in malware to a holistic and proactive security strategy. In order to protect their reputation, customers and the bottom line, businesses should have a holistic security suite in place that includes automatic malware scanning and removal, Web application firewalls, and incident response plans."
Share