Cryptojacking, a type of cyber attack in which an attacker hijacks a target’s processing power to mine cryptocurrency on the attacker’s behalf. Researchers from Fudan University, Tsinghua University and the University of California Riverside have published the first systematic study about cryptojacking in the real world called as “How You Get Shot in the Back”. This study has revealed growing sophistication in the malicious mining of Cryptocurrency, as reported by Bitcoin Magazine.
In this study, researchers have studied various characteristics of cryptojacking scripts. They built CMTracker, a behavior-based detector with two runtime profilers for automatically tracking Cryptocurrency Mining scripts and their parallel domains.
They found 2,770 uncommon cryptojacking samples from 853,936 popular web pages, including 868 among top 100K in Alexa list. By using these samples they gained a more clear picture of the attacks, including their impact, distribution mechanisms, obfuscation, and attempts to avoid detection. They further found that a different set of companies benefit from this activity because of the unique wallet ids. Not only this, to stay under the radar, they also update their attack domains.
Cryptojacking and CMTracker Design
Researchers designed and implemented a detector called CMTracker to identify this attack. After that, they crawled Alexa’s top 100K websites and found 2,770 cryptojacking pages. They calculated the damage of cryptojacking, displaying that it costs more than 278K kWh extra power daily, and hackers are earning at least 59K US dollars daily. They analyzed different aspects of the attack domains and the behaviors of scripts.
As reported by CryptoTicker, in the month of June 2018, the cybersecurity company McAfee had disclosed that thousands of websites worldwide have fallen prey to a cryptojacking malware that forces their visitors’ computers to mine cryptocurrency without them knowing when browsing the site. Hackers have extended their activity into the area of cryptojacking, the infection of user systems for the purpose of hijacking and using them to mine for cryptocurrencies. The coin miner malware grew by 629% to more than 2.9 million known samples in Q1 2018 from almost 400,000 samples in Q4 2017.
The CMTracker detected 2,770 cryptojacking websites that affect 10 million web users per month. The cryptojacking workloads cost more than 278K kWh extra power daily, the equivalent of the energy consumption of a small town with 9.3K people. Attackers are earning more than 59K US dollars daily. Researchers also concluded that different malicious domains are used in collaboration with each other. The cryptojacking pages swiftly alter their domains, causing the current blacklist-based solutions ineffective.
Researchers obtained following findings :
- Most malicious miners are not centrally controlled.
- Mining services and advertisers facilitate most cryptojacking websites.
- A significant number of attackers benefit from abusing cryptocurrency mining services.
- The malicious samples disappear or update frequently.
- State-of-the-art mitigations, for example, blacklists, are insufficiently to locate cryptojacking in time.
- Evasion techniques are effective against antivirus engines.
The researchers further concluded that
We estimate the real-world damage of this threat to over 10 million web users and 278K kWh extra power daily, equivalent of the energy consumption of a small town with 9.3k people. We measure the organization, life cycle, and technical details of cryptojacking webpages. Our results show that a significant number of attackers benefit from such attacks, and existing mitigation solutions are ineffective in blocking cryptojacking.
They also found that some cryptocurrency mining services, such as Coinhive, are abused to insert cryptojacking in large scale and cryptocurrency mining services have not paid enough attention to avoid abuses.