What is Cryptojacking and How Do You Prevent It?

Cryptojacking is an emerging online security threat that uses your computing resources to steal cryptocurrencies without being detected.

The accidental invention of cryptocurrencies in 2009 has led to a lot of positive outcomes in both the tech and financial sectors. With more industries incorporating crypto in their payment systems, its popularity has only begun. But as with any new digital invention, there are drawbacks.

Cybercriminals have found several ways to exploit cryptocurrencies and scam people out of their investments. The scale of these scams is massive, with a single attack leading to the theft of millions of dollars. The biggest crypto theft in history happened last year with hackers stealing more than $600 million.

A recent trend in cybercrime is the rise of cryptojacking. We’re going to explain to you exactly how it works and how you can defend yourselves against it. 

Cryptojacking is the sanctioned use of personal and business computers for cryptomining by hackers to generate cryptocurrencies. By getting people to click on phishing links, hackers install software onto unsuspecting victims’ computers and use their computing resources for mining or straight-up stealing their crypto wallets.

Cryptomining requires dedicated mining hardware, which is very expensive. Since mining is a continuous process that requires a stable internet and electric connection, the bill can be pretty steep. This is why hackers tend to use other people’s computers to mine for them.

The basic idea behind cryptojacking is to get victims to download a piece of script. This script then executes in the background and mines for cryptocurrencies without any detection.

Cybercriminals have three primary ways to infect computers:

The most common method that hackers use to spread their malicious script is emails. The victim receives an almost legitimate-looking email that encourages them to click on a link or download a file. When they do so, the link runs a code that places the script onto their computer.

Hackers embed their cryptojacking scripts into hundreds of websites. When a user visits those websites, the script downloads and executes. Hackers also inject their malware into pop-up ads that appear on many websites. In most cases, no code is downloaded onto their computer.

Cryptojacking through the cloud is more complex in nature but also the most lucrative method. Cybercriminals go through an organization’s files to look for Application Programming Interface (API) keys. These keys grant them access to their cloud services. They can then use all the computing resources linked to the organization’s cloud to mine for cryptocurrencies. This results in an accelerated mining process and an increase in the organization’s cloud computing costs.

Graboid was the first-ever cryptojacking worm. A malware that spread itself on its own without the intervention of its creator, Graboid was termed after the 1990’s movie ‘Tremors’. It spread itself using empty Docker Engine deployments that were unauthenticated. Palo Alto Networks cited in their report that Graboid had infected almost 2000 unsecured Docker hosts. The earliest known attack of Graboid was reported to have earned cybercriminals a net of $90,000 in just 30 days.

Smominru is a malicious botnet that has wreaked havoc in the cybersecurity space from 2017 to 2018. The botnet is difficult to stop since it has regeneration capabilities and preys on Microsoft’s SMB protocol vulnerabilities. In 2018, it infected over half a million Windows servers and earned $3 million in Monero, an open-source cryptocurrency. Smominru is powered through EternalBlue, a leaked NSA exploit and the same group that caused the WannaCry ransomware attack.

Kaspersky Labs detected a Google Chrome extension that used Facebook Messenger to infect victims’ computers and termed it Facexworm. This malware initially only delivered adware, but a small variety of Facexworm was also found to carry cryptojacking scripts. Not only does it transfer malware, but it can also steal user credentials and gain access to websites, thereby multiplying itself continuously.

Detecting a cryptojacking malware that has already infected your system is pretty tricky. This malware can pass through security encryption and software undetected. There are several signs you need to look out for when it comes to cryptojacking. The first and most important is a decrease in your computer’s performance. Cryptomining takes up too much computing power in the background leaving fewer resources for your daily activity. A slower processing speed is your first sign.

The second sign, or symptom, is increased CPU usage. Use the Activity Monitor or Task Manager to watch out for hikes in CPU usage, especially if you aren’t doing anything that requires much processing power. 

Image: ResearchGate

The last symptom is overheating. This is an indirect effect of the first two symptoms. If you don’t perform any intensive tasks on your system, but it still heats up too quickly, chances are malware is running in the background.

With more cloud infrastructure growing every day, the risks are increasing as well. Cryptojacking is one major threat if you use major cloud computing platforms like AWS or Google Cloud Platform. “These cloud platforms have gigantic computational power which attracts cryptominers,” said Patrick Smith of FireStickTricks, a cybersecurity expert.

TeamTNT is one such malware. It is a cryptomining worm spreading in the AWS cloud and collecting credentials for the last two years. After gaining access, the malware deploys the XMRig mining tool to mine Monero cryptocurrency.

According to CADOSecurity, the team that first identified the TeamTNT cryptojacking malware, the tool scanned for misconfigured Docker APIs. 

“Most of the victims are with weak root account passwords, not following good Identity and Access Management practices of AWS, and have not capped the auto-scaling to manage the misuse. Many of the users are unfamiliar that their AWS account is minting cryptos for bad guys until their credit cards are maxed, and further payments are declined,” Smith added.

Last year, a self-propagating cryptominning Kinsing malware was also found to be exploiting container misconfigurations in the cloud.

We’ve compiled a few steps you can take to prevent cryptojackers from infecting your systems, business or personal:

Cyberattacks specializing in cryptocurrencies are still a relatively new threat, so not all IT workers are trained in their prevention. Educate your IT team in cryptojacking methods so they can help detect an attack before it happens. 

Install an ad-blocker or anti-cryptomining extension in your web browser to seal off this prevalent tunnel from being infected. We recommend using the minerBlock extension, which is widely considered one of the best.

If you come across any website known to have malicious code or suspicious activity, make sure to block it from your intranet. Periodically search for suspicious websites and add them to your filters.

If you have a ‘bring-your-own-device (BYOD) policy at work, make sure to devise proper mobile device management (MDM) strategies that will ensure that external devices are safe to use on the company intranet.

These policies are obviously not foolproof, as is with any cybersecurity threat. You will always have to be smart when it comes to protecting your systems from a dangerous external malware threat like cryptojacking. Always be on the lookout for suspicious activity that any software on your system cannot account for.

Have you been a victim of a cryptojacking attack or have other methods to detect it? Share your knowledge in our Hackernoon Community.