WHAT IS CRYPTOJACKING?
Although they may seem a lot more complex than other criminals, many cyber-criminals are motivated by the same things as the rest. Usually, the biggest factor is a desire for financial gain, and they have many ways to obtain that at your expense. In this article, we will talk about one of the lesser-known methods by which criminals can profit from hacking your computer or other devices. As you can probably guess from the title, we are talking about crypto-jacking. Let’s talk a little bit more about what it is and how it works.
HOW DO CRYPTOCURRENCIES WORK?
Cryptocurrencies are a form of digital money, and you have probably heard of them. This is a decentralized form of money, as it does not require the intervention of a bank or any other financial institution. Because of this, it is the only type of currency that is truly anonymous. That explains why it became popular with criminals from the very start, but it’s also very popular with normal people.
All cryptocurrency data is stored in a blockchain, which is basically a public ledger. It is a record of all transactions made using that particular currency, of which there are many. Bitcoin is, of course, the most valuable and well-known, but there are tons of others out there. Because blockchains use encryption to ensure proper security, they rely on a very complex set of algorithms to process payments and keep things running smoothly.
HOW DOES CRYPTO-MINING WORK?
Cryptomining is a process by which people can make money by helping a cryptocurrency network. It can be a very profitable endeavor, but only if you have very good hardware. Many people have found that they cannot make much money at crypto-mining without high-end PCs and expensive aftermarket parts. In particular, the GPU (Graphics Processing Unit) is very important for crypto-mining. A high-quality GPU can cost a lot of money, which keeps a lot of people out of the crypto-mining business.
HOW DOES CRYPTO-JACKING WORK?
To get around these barriers of cost, some people resort to shady and illegal methods. Instead of upgrading their PC, they simply hijack other devices. Then, they can basically “leech” off your bandwidth and put it to work mining a cryptocurrency of their choice. This is usually achieved through the injection of malicious code.
It should not surprise you to learn that phishing is the most common method of infection. Virtually all the worst cyber-attacks begin with some form of phishing, in which the hacker impersonates a legitimate source and tricks the user into giving up their personal information. E-mail phishing is the classic form, but modern hackers have branched out and learned how to phish with video calls and other forms of communication as well.
Browser pop-up ads are another common way in which these attacks are carried out. Basically, they embed a malicious script into a browser ad. They might create a fake advertisement, or they might simply hijack one made by someone else. Either way, the script will auto-run when the pop-up window is viewed. Because they require less preparation and less trickery towards the victim, browser-based crypto-jacking has become a lot more popular. In some cases, hackers might use both methods in order to hedge their bets.
HOW TO TELL IF YOU HAVE BEEN CRYPTO-JACKED
If someone has targeted you with this particular type of malware, it might be very hard to detect their efforts. After all, this isn’t like most other cyber-crimes. This is an instance in which no real harm is done to the user, although it will definitely slow down their device and the network on which it resides. Still, there is no direct theft from the victim and no direct damage to their device.
The first sign that you will see is a reduction in your computer’s speed. Loading times will go up quite a bit, as a lot of your computer’s resources are being utilized by the hacker. Believe it or not, this can also make a huge difference in your electric bill. Yes, we did say that this method doesn’t directly harm the victim, but this is one of the ways in which it indirectly does so. So, if your electric bill is going up while your device speed is going down, it might be time to take a closer look.
If you are using a Windows computer (which most of you probably are), you should take a look at your list of current processes. Hit CTRL+ALT+DEL and go to the task manager. The tabs at the top will allow you to look at different types of data, so take a quick look. The performance monitor (under the “performance” tab)will give you a good idea of the resources being used by your computer.
When you are not using any programs, CPU usage should be 10% or less. a usage rate of 2-4% (when idle) is ideal. To give you an idea, this writer is currently using a Firefox browser with only two pages open. My CPU usage is about 21%. If yours is much higher than that while doing nothing except browsing, you might have a bigger problem. Crypto-jacking programs will typically use 60% of your resources or more.
Crypto-jacking can also sometimes be detected by feeling the outside of your device to see how hot it might be. When most of your resources are being “jacked,” your computer will have to work much harder to achieve the same objectives. As a result, they will get pretty warm after only a short time. This will probably trigger the fan to work harder, which you should also notice.
HOW TO DEFEAT CRYPTO-JACKING
Network monitoring is a great way to detect a crypto-jacker. In case you don’t know, this is just a tool that allows you to monitor every “packet” of information that is sent or received on your network. Some programs, like NMap, can make detailed network maps showing every connection, both inbound and outbound. When a hacker is hijacking your resources for crypto-mining, they have to maintain a near-constant flow of information between your device and their server. In most cases, that flow of information can be detected in transit.
On a simpler note, adblockers can be a great way to prevent yourself from being hijacked in this way. The majority of crypto-jacking attacks make use of browser ads, so blocking them is an easy way to block the threat. There are all sorts of ad-blocking extensions that can be added to your browser, with Adblock Plus being the most popular. Any good adblocker will work, but you need to make sure you get one that is specifically designed to detect and disable crypto-mining scripts.
In the end, it is essential that you remove whatever script was installed in the first place. For those who may not know, a script is basically just a simple one-line command that a computer uses to tell its components what to do. Ordinarily, these are used by various software programs to automate functions, but malicious scripts are another story. Until that script is removed, the problem will persist.
One thing you might want to try is a system restore. Most operating systems give you an option to restore your device to an earlier time. This will remove not only any software which has been installed since then, including the crypto-jacking script. It will also reset your settings to an older configuration, giving you the chance to reconfigure them in a more secure way. Make sure you delete and reinstall your browser as part of this process.
Of course, we should also mention anti-malware scanners, even though they aren’t the most effective tool. These kinds of things can only guard against known threats, so they will not have the highest success rate. Nevertheless, a lot of hackers will count on you to be unwary and foolish. Thus, they might actually use something that has already been detected in the past.
HOW DID CRYPTO-JACKING BEGIN?
Believe it or not, crypto-jacking was created by subverting a tool that was meant for legitimate purposes. A crypto organization called Coinhive created a tool that was intended for website owners. The idea was to let them earn passive income through crypto-mining, allowing them to forego the use of other advertisements. A lot of internet users find pop-ups and other ads to be annoying, so this idea had some appeal.
Unfortunately, this tool was quickly recognized by hackers as a tool to make illicit money. In fact, it became a major problem in 2018 and remained so for most of 2019. According to this report, crypto-jacking made up about 23% of all recorded cyber-attacks in 2018. Coinhive voluntarily shut down all of its operations in March of 2019, and this led to a huge decrease in crypto-jacking. By 2019 it had declined from 23% to about 7%.
To get a better idea of how these attacks look in reality, let’s look at a few well-documented examples of crypto-jacking. That should enable us to get a better idea of the specifics that are involved.
First, let’s examine the “Powerghost” malware that was such a big threat in 2018. This report was made at the height of the crypto-jacking problem, and its conclusions reflect that fact. It talks extensively about the Powerghost malware, which operated without files and was used for both crypto-jacking and DDOS (distributed denial-of-service) attacks.
This one was found to be extremely sophisticated. It could detect and disable other crypto-miner programs and would even lower its CPU usage when the user was deemed to be active. This malware also disabled sleep and hibernation modes for maximum mining efficiency. Powerghost made its initial attack with a spear-phishing method but was very difficult to detect after that. Incidentally, here are the filenames under which this malware was originally detected:
If you see one of these in your malware scan results, it’s time to do a total wipe.
Of course, Powerghost is only one example, and there are plenty of others. For instance, there was another big crypto-jacking threat in 2018 known as Badshell. This name was invented by the company that first detected the malware and is based on the approach that it uses. Instead of trying to create new processes, this one hijacks legitimate processes and uses them to mine crypto. This makes them harder to detect because the bad files are hidden inside of seemingly good ones.
Badshell makes use of Windows Powershell, a tool that is normally used for automating processes. It uses a scripting language to do its work, and that’s probably why some hacker decided to subvert it for criminal gain. Most of the malware’s code is stored in the registry where many scanners will not go, but this one can be detected and removed by cleaning out your registry. This one isn’t too hard to remove once detected, but it goes to great lengths to avoid detection.
As a final example, we might mention this amusing story. A cybersecurity company called Darktrace noticed some unusual traffic on its network, all of it centered around a European bank with whom they did business. When the traffic was traced back to their own data center, Darktrace employees found that someone had set up a series of crypto-mining servers under the floorboards. They later found that about 1000 of their 5000 clients had been mined without their knowledge.
Although the threat of crypto-jacking has become far less serious in recent years, that is no reason to disregard the danger. As we have already seen, some past examples of crypto-jacking scripts have been very subtle and sneaky. As such, we cannot rule out the possibility that this kind of thing is still going on but has become harder to detect. Either way, we hope you have enjoyed this article and found it to be helpful. If you have any questions, you can call PCH Technologies at (856) 754-7500.