Cryptojacking, a type of cyber attack in which an attacker hijacks a target’s processing power to mine cryptocurrency on the attacker’s behalf. Researchers from Fudan University, Tsinghua University and the University of California Riverside have published the first systematic study about cryptojacking in the real world called as “How You Get Shot in the Back”. This study has revealed growing sophistication in the malicious mining of Cryptocurrency, as reported by Bitcoin Magazine.
In this study, researchers have studied various characteristics of cryptojacking scripts. They built CMTracker, a behavior-based detector with two runtime profilers for automatically tracking Cryptocurrency Mining scripts and their parallel domains.
They found 2,770 uncommon cryptojacking samples from 853,936 popular web pages, including 868 among top 100K in Alexa list. By using these samples they gained a more clear picture of the attacks, including their impact, distribution mechanisms, obfuscation, and attempts to avoid detection. They further found that a different set of companies benefit from this activity because of the unique wallet ids. Not only this, to stay under the radar, they also update their attack domains.
Cryptojacking and CMTracker Design
Researchers designed and implemented a detector called CMTracker to identify this attack. After that, they crawled Alexa’s top 100K websites and found 2,770 cryptojacking pages. They calculated the damage of cryptojacking, displaying that it costs more than 278K kWh extra power daily, and hackers are earning at least 59K US dollars daily. They analyzed different aspects of the attack domains and the behaviors of scripts.
As reported by CryptoTicker, in the month of June 2018, the cybersecurity company McAfee had disclosed that thousands of websites worldwide have fallen prey to a cryptojacking malware that forces their visitors’ computers to mine cryptocurrency without them knowing when browsing the site. Hackers have extended their activity into the area of cryptojacking, the infection of user systems for the purpose of hijacking and using them to mine for cryptocurrencies. The coin miner malware grew by 629% to more than 2.9 million known samples in Q1 2018 from almost 400,000 samples in Q4 2017.
In this attack, hackers are transitioning from ransomware to malware in the blockchain industry. CoinMiner or CoinMiner-FOZU uses victim’s computer to mine new coins by infecting user executables, injecting Coinhive JavaScript into HTML files, and blocking the domains of security products to stop signature updates.
Findings
The CMTracker detected 2,770 cryptojacking websites that affect 10 million web users per month. The cryptojacking workloads cost more than 278K kWh extra power daily, the equivalent of the energy consumption of a small town with 9.3K people. Attackers are earning more than 59K US dollars daily. Researchers also concluded that different malicious domains are used in collaboration with each other. The cryptojacking pages swiftly alter their domains, causing the current blacklist-based solutions ineffective.
Observations
Researchers obtained following findings :
In their analysis, researchers extracted features of four various aspects such as redirection, deobfuscation, environmental context, and exploitation. They used the Naïve Bayes method to identify JavaScript malware samples that automatically distribute themselves on the victim machines through background downloading.
The researchers further concluded that
We estimate the real-world damage of this threat to over 10 million web users and 278K kWh extra power daily, equivalent of the energy consumption of a small town with 9.3k people. We measure the organization, life cycle, and technical details of cryptojacking webpages. Our results show that a significant number of attackers benefit from such attacks, and existing mitigation solutions are ineffective in blocking cryptojacking.
Hackers are also able to hide various payloads. Instead of injecting malicious payload directly to the cryptojacking webpages, some attacks hide their malicious code in 3rd party libraries. For example, attackers frequently inject their attack code into their own version of jQuery.js, which is a widely used JavaScript library [20]. Due to this, the malicious code is appended to the original jQuery code, which gets triggered automatically when the jQuery is loaded.
They also found that some cryptocurrency mining services, such as Coinhive, are abused to insert cryptojacking in large scale and cryptocurrency mining services have not paid enough attention to avoid abuses.
Follow us on Twitter, Facebook, Steemit, and join our Telegram channel for the latest blockchain and cryptocurrency news.
