Cryptomining takes a sinister turn

The recent Bitcoin frenzy has definitely stirred the attention of Malaysian regulators and industry players. Many organisations, especially those from the financial and services industry, have since raised their concerns on cryptocurrency security and demanded for stricter regulations to prevent criminals from abusing the system. As digital currencies quickly becoming the norm today, it calls for all relevant players to put their heads together to ensure the stability and integrity of this new financial system.

In fact, we need to act fast as we are starting to see an increasing number of cyber thieves working their way into the system. They are using cryptominers to make money by infecting websites with malicious software.

Get NordVPN

Web-based cryptominers are malware

Cryptomining is a process used to discover Bitcoin, Monero, and other such cryptocurrencies as Ethereum and Litecoin. It requires massive amounts of computer processing power, which slows down performance and leaves wear and tear.

This was not always a problem because the activity was largely limited to those who chose to do it. That began to change as cryptocurrency prices skyrocketed in recent weeks. A single Bitcoin was worth USD1,000 at the start of 2017 and was valued at around USD17,000 by year’s end.

Legitimate cryptomining programs ask users for permission to run. Malicious versions do not, instead opt to quietly leach a computer’s resources. SophosLabs is seeing more of the latter variety, with a new twist:

Instead of showing up as executable files, they take the form of scripts hidden on websites, mining for cryptocurrency in the browser. Visitors to these sites see no evidence of the mining. The only clues that something may be amiss are their computer slowing down and their fans revving up.

A clear example of this is Coinhive, a Monero miner that first appeared in mid-September. The number of sites hiding it has steadily increased in recent weeks, as cryptocurrency values have taken a wild trajectory skyward. For instance, recent visitors to a Buenos Aires Starbucks experienced a 10-second delay when they connected to the coffee shop’s “free” Wi-Fi, as their laptops’ power secretly went to mine cryptocoins.

Given their parasitic nature, Sophos has decided to start tagging Coinhive and other JavaScript-based cryptominers as malware to be blocked when users stumble upon a site harbouring them.

As noted above, JavaScript miners like those from Coinhive are added to websites and run in the browser, using visitors’ CPUs to generate cryptocurrency. Users may notice poor performance, a spike in CPU usage and batteries draining faster than usual.

Coinhive also works on mobile devices and over short periods, user may notice the device’s temperature increasing dramatically.

Coinhive rises with cryptocurrency values

With the value of cryptocurrencies soaring in the last couple of weeks, SophosLabs has noticed a steady rise in sites using Coinhive scripts.

Here’s what the rise of Coinhive looks like compared to rising Bitcoin (BTC) and Monero (XMR) values:

CoinHive 01

CoinHive 02

Coinhive markets itself as an alternative source of revenue to advertisements.

Infamous torrent site The Pirate Bay is among those to have used its code and neglected to tell visitors it was using their browsers to mine cryptocurrency. The site embedded Coinhive JavaScript code on search pages to mine for Monero.

What to do

In order to ensure that they are protected against JavaScript cryptominers hosted on a website, such as Coinhive, here are some steps  users can take when they smell a cryptomining rat.

  1. Watch your CPU. Check Activity Monitor on a Mac or Task Manager on Windows. If your laptop has fans, you might hear them revving up to deal with the extra heat generated by a heavily-loaded CPU chip.
  2. Consider a plugin to control JavaScript. NoScript is a popular free tool that lets you keep control over intrusive JavaScript, Flash, and Java in your browser.
  3. Find out if your anti-virus detects coinmining tools. For example, Sophos products classify browser-based coinminers as PUAs (potentially unwanted applications). PUAs are not malware – they can be blocked or allowed as you choose.
  4. Patch promptly. Hackers who can break into your servers could add cryptomining code to leech ‘free money’ from all your website visitors, leaving you to bear the brunt of any complaints.

*Sumit Bansal is Managing Director of ASEAN and Korea, Sophos

Leave a Comment