Cryptojacking – A gold rush for cybercriminals or an outdated attack scenario?
With major victims such as Tesla, Avira and Gemalto, cryptojacking has already been making appearances in the media since 2018. With the rising price values of major cryptocurrencies, clandestine mining had great potential to affect IT infrastructures, with cybercriminals facing their own gold-rush moment. Crypto mining is the process, so to speak, of inserting cryptocurrency transactions onto the blockchain ledger. With better computing techniques and high-performance servers, combined with the rapid price increases of the currencies, cryptojacking has made its way onto the scene. Cryptojacking refers to the unauthorised use of a device by a cybercriminal for the purposes of crypto mining.
Lucrativeness drops after Coinhive shutdown
Coinhive was a provider of Java scripts that could be installed on websites and used the users' computing power to mine cryptocurrencies. For a time, the main currency of these scripts was the cryptocurrency Monero, with Coinhive retaining 30% of the proceeds. In March 2019, Coinhive discontinued the service as the Monero currency lost a lot of its value. Due to the high popularity of Coinhive, the question arises of how popular cryptojacking thus still is. Researchers at the University of Cincinnati and Lakehead University in Ontario, Canada, have published a paper that explores this question.
Using a tool called CMTracker, the researchers checked around 3000 websites that had previously attracted attention as crypto mining sites. Of these 3000 websites, around 99% have given up mining. Thus, the example of Coinhive shows that the attractiveness of cryptojacking has declined massively. This is not least because placing advertisements on websites offer more financial incentives for website operators than crypto mining due to the high losses in the value of some cryptocurrencies.¹
However, the paper referred to did not analyse server-side cryptojacking. One of the biggest cases in this context was Tesla. The car manufacturer noticed compromised cloud servers in early 2018. As these attacks still offer a not inconsiderable financial added value for cybercriminals, especially in the case of large server structures of companies, and are associated with low expenditures, companies are still affected and should be aware of the issue.
Protecting companies against cryptojacking
Since the code is often not detected by common security software alone, IT security managers, in particular, should keep the following points in mind:
- Unexplained loss of performance: The clearest sign of cryptojacking is an unexplained loss of performance. Employees should be instructed to be sure to report performance losses to the IT department.
- Overheating: Cryptojacking is a very resource-intensive process and can involve systems overheating.
- CPU utilisation: Simple activity monitors allow even inexperienced users to report and monitor excessive CPU utilisation for no apparent reason.
- Monitoring the company website: The company's own website should also be regularly checked for changes, even though attacks on websites have become less attractive to cybercriminals for the reasons mentioned above.
- Raising awareness: Cybercriminals are constantly modifying attack methods and exact scenarios regardless of cryptojacking. Keeping up to date with training and general awareness of cybersecurity issues is essential for businesses.
Author: Hannes Hartung