Cryptojacking Surges in Popularity

Since the emergence of Coinhive was reported the popularity of cryptojacking has increased exponentially. Coinhive allows website owners to integrate a Javascript miner on their website to generate extra revenue. The mining is done by the website user when on the website. Many websites have adopted Coinhive for exactly this purpose. People ethically employing Coinhive notify users that their computer resources are been used to mine cryptocurrency, in this instance Monero, while on the website.

While a novel idea and can be employed ethically it is open to abuse. Security researchers at Malwarebytes have released a report detailing the abuses been experienced by users globally. Malwarebytes has been one of the first major antivirus companies that have added support for blocking such scripts.

Malwarebytes’ research reveals a surge in popularity

In what was previously described as drive-by downloading, in which web-based threats infect a computer by simply visiting a website, without any other interaction required by the user, what Malwarebytes terms drive-by mining can be seen as focuses on utilizing the processing power of visitors’ computers to mine cryptocurrency. In their heyday, drive-by downloads used to force malware onto users were rightly feared as the effects of the malware could be clearly witnessed. In drive-by mining, the effects may not be so apparent but there is always the potential for hardware to fail catastrophically by being pushed too hard by the miner.

cryptojacking- surges in popularity

According to Malwarebytes’ research and records Malwarebytes products have blocked on average around 8 million requests per day to domains hosting in-browser cryptocurrency mining scripts. In total for the month of October was nearly 248 million requests during the entire month of October 2017, and most of these requests were for Coinhive, today's most popular in-browser Monero mining service. While those numbers are staggering the problem is probably worse than the numbers suggest. This is because Malwarebytes does not block Coinhive and similar scripts by default but prompts the user via a popup, letting users select what they want to do. Added to this not everybody uses Malwarebytes software which would undoubtedly increase a number of instances. The number is further increased by the fact that special proxy services have popped up online that allow some website operators to evade ad blockers and antivirus solutions by tunneling Coinhive requests through other domains.

Malwarebytes concluded that although crypto mining has a lot in its favor, the future success of web-based mining as a business model will be based on honest communication with users and the almost mandatory opt-in, which is the main characteristic that differentiates it from drive-by mining. As mentioned above websites can ethically use Coinhive by notifying users and asking for their permission. To help counter the problem a website called “WhoRunsCoinhive?” helps users track sites running Coinhive.

Nearly 2,500 e-commerce stores running mining scripts

Dutch security researcher Willem de Groot has also provided an interesting insight into the problem. In his research published on November 7, he has detected Coinhive software was detected today on 2496 e-commerce sites. At first glance, it looks like store owners may be looking to increase their profits but the expert discovered that 80% of crypto mining stores also contain payment skimming malware. This indicates that the scripts have been deployed by hackers rather than the owners of the websites.

As Coinhive require a unique ID the distribution of thieves can be determined. De Groot found that out of 2496 infected stores, 85% is linked to only 2 Coinhive accounts, while the remaining 15% is spread out over unique Coinhive accounts. Some of the websites blatantly displayed the Coinhive code but some were more stealthy in how deployed the code by disguising the code as a Sucuri Firewall.

However, it has been seen that it is not only hackers looking to exploit Coinhive in a way that is unethical. Recently the official UFC Fight Pass website, which was also caught mining cryptocurrency while users were watching UFC fights. Despite a pretty obvious screenshot and multiple users confirming the findings of security researcher Troy Mursch, the company denied it hosted the script or getting hacked to host the script.

Not even apps are safe

Research conducted by Ixia found cleverly packaged the in-app cryptocurrency mining behavior as a way to win in-game currency. However, the creator of the apps did not notify players that their devices were been used to mine cryptocurrency. In the analysis of the mobile malware, sample led to a number of crypto-currency wallets and mining pool accounts belonging to the malware author. Various coins were being mined from thousands of infected Android mobile phones, indicating a relatively high degree of activity. Total profits earned on one specific Magicoin wallet is currently sitting at 4929 XMG (1147 USD based on current exchange rates) showing it to be a fairly profitable exercise. Many of the apps seem to still be available on the Google Play Store.

While the maliciousness of mining can be argued, what is apparent is this may be the next generation of adware as thousands of users are actively mining for the personal profit of app’s creator. One can only think of what a malicious actor could do if they were to compromise the codebase of a major developer on the games and app market. Often blockchain and its associated technologies are hailed as a solution to everything however, it appears that hackers have only begun to realize how the technology can be exploited for their benefit. This problem may become worse given that mobile devices are continuously evolving often to the detriment of security. Mobile malware has historically lagged a few years behind traditional PC malware, but it always follows the same trend. Right now, crypto-coin miners have reached the mobile era and they are here to stay so long as they remain profitable to exploit. Given that manufacturers are pushing for better CPUs and GPUs to be incorporated into their mobile devices it does not look as if they will become less profitable in the near future.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal