The simple reason why cryptojacking is becoming more popular with hackers is more money for less risk. According to the report, The New Gold Rush Cryptocurrencies Are the New Frontier of Fraud, from Digital Shadows, cryptojacking kits are available on the dark web for as little as $30.
The botnet targeted Windows servers to mine Monero, and cybersecurity firm Proofpoint estimated that it had generated as much as $3.6 million in value as of the end of January.Ĭryptojacking doesn’t even require significant technical skills. In January 2018, researchers discovered the Smominru cryptomining botnet, which infected more than a half-million machines, mostly in Russia, India, and Taiwan. There’s a lot of room for growth and evolution,” says Marc Laliberte, threat analyst at network security solutions provider WatchGuard Technologies. The report suggests that cybercriminals have shifted more to ransomware, which is seen as more profitable. Positive Technology's Cybersecurity Threatscape Q1 2019 report shows that cryptomining now accounts for only 7% of all attacks, down from 23% in early 2018. The 2020 SonicWall Cyber Threat Report reveals that the volume of cryptojacking attackes fell 78% in the second half of 2019 as a result of the Coinhive closure. Browser-based cryptojacking grew fast at first, but seems to be tapering off, likely because of cryptocurrency volatility and the closing of Coinhive, the most popular JavaScript miner that was also used for legitimate cryptomining activity, in March 2019. No one knows for certain how much cryptocurrency is mined through cryptojacking, but there’s no question that the practice is rampant.
In one example described in an AT&T Alien Labs blog post, the cryptomining code simply downloads the implants for each architecture until one works. To increase their ability to spread across a network, cryptomining code might include multiple versions to account for different architectures on the network. It also makes them harder to find and remove maintaining persistence on a network is in the cryptojacker's best financial interest. Some cryptomining scripts have worming capabilities that allow them to infect other devices and servers on a network. For example, of 100 devices mining cryptocurrencies for a hacker, 10% might be generating income from code on the victims’ machines, while 90% do so through their web browsers.
“Attacks use old malware tricks to deliver more reliable and persistent software as a fall back,” says Alex Vaystikh, CTO and cofounder of SecBI. Hackers often will use both methods to maximize their return. Whichever method is used, the code runs complex mathematical problems on the victims’ computers and sends the results to a server that the hacker controls. No code is stored on the victims’ computers. Once victims visit the website or the infected ad pops up in their browsers, the script automatically executes. The other method is to inject a script on a website or an ad that is delivered to multiple websites.
The script then runs in the background as the victim works. The link runs code that places the cryptomining script on the computer. This is done through phishing-like tactics: Victims receive a legitimate-looking email that encourages them to click on a link. One is to trick victims into loading cryptomining code onto their computers.
Hackers have two primary ways to get a victim’s computer to secretly mine cryptocurrencies. The only sign they might notice is slower performance or lags in execution. Hackers do this by either getting the victim to click on a malicious link in an email that loads cryptomining code on the computer, or by infecting a website or online ad with JavaScript code that auto-executes once loaded in the victim’s browser.Įither way, the cryptomining code then works in the background as unsuspecting victims use their computers normally. Cryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency.