The cryptocurrency market is now worth more than $1-trillion, making virtual money a tempting investment opportunity – and a target of cybercriminals as well.
One way hackers can profit is cryptojacking: they use social engineering and hacking techniques to put the mining script on the victim’s device and exploit its resources.
Verizon’s 2020 Data Breach Investigation Report indicates that 86% of data breaches are financially motivated. Ransomware is still the most popular way to profit, yet cryptojacking has the potential to become the usual alternative.
“When organisations have their data compromised by hackers, they face a dilemma: save the data or secure the machine by removing malware, or pay the ransom with the risk of losing both files and money,” says Juta Gurinaviciute, chief technology officer of NordVPN Teams. “For cybercriminals this is also a gamble, whether the victim will pay or sacrifice the data—or will restore it from the backup. With cryptojacking, there’s no such dilemma, as the profits stack up directly in the hacker’s digital wallet.”
If sensitive data is encrypted with ransomware, paying the demanded sum often seems like the easiest way to get the information back, but by doing so, businesses fuel criminals’ further endeavours. The overall damage of a ransomware attack can reach up to $1,45-million, and even if the enterprises pay the ransom (which averaged $178 000 in Q2 2020), there’s no guarantee of getting the stolen information back.
However, with cryptocurrencies growing in value and being recognized as legitimate money by officials, the quiet background process of illicit cryptomining, known as cryptojacking, might become a popular attack vector.
How does cryptojacking work?
While lawful miners invest into powerful hardware to mine a coin using devices’ computing power, ill-intentioned actors want to bypass this costly process and exploit the network of infected devices. This process is known as cryptojacking: hackers use phishing and software vulnerabilities to execute the cryptomining script on a victim’s device.
The surge in website cryptojacking attempts is associated with a company called Coinhive. It tried to substitute web advertising with cryptomining. Instead of being bombarded by ads, users would mine a small amount of cryptocurrency in exchange for content.
Cybercriminals were quick to harness Coinhive’s script for the bad deeds. With the website’s closure, the popularity of cryptojacking dropped, but hasn’t disappeared completely.
“Website-based cryptojacking is less of a threat today, yet illicit cryptominers try to utilize other infrastructure, such as cloud services. Hackers try to gain API keys to access the cloud networks and run the script there. If they succeed, they leverage unlimited CPU resources and increase their profits,” warns Gurinaviciute. “Cryptojacking is still in its infancy – just as the cryptomarket itself. With the advent of cloud computing, remote work and increasing reliance on digital tools, we’ll see the new attempts to profit illegally.”
It’s hard to evaluate the cost of cryptojacking. The script doesn’t aim at the victim’s data nor does it do direct damage to the machine. But as the cryptomining utilizes 100% of the CPU’s power, the machine slows down notably, and disturbs its other processes. Besides, compromised users can expect higher electricity bills and shortened computer lifecycles in the long run.
Given this, increased processor clock speed is one of the main indicators of falling victim to cryptojacking. If a PC fan roars upon launching the machine or opening a browser, users should immediately run an antimalware check. Some ingenious scripts can hide from antivirus programs, so corporate network monitoring is also crucial: sometimes, it’s easier to detect cryptojacking in an organisation’s network than it is at home.
Crypto market poses many risks
In notable cryptojacking attacks hackers targeted app building service Docker and code hosting platform GitHub. They spoofed the original projects and tried to lure the victims to download malicious browser extensions which would start cryptomining.
The unusual network traffic helped the cybersecurity firm Darktrace identify 1 000 cases of this illicit activity on their clients’ networks. Some of the cases were related to insider risk, as one employee of a European bank leveraged company infrastructure to profit.
Corporate networks are highly vulnerable, as mining malware can spread into every connected hardware device. Banking and fintech sectors should also be aware, as it’s only a matter of time until the cryptomarket is on the regulators’ radar.
There are many problems in addition to cryptojacking. The virtual coins are stored in digital wallets, and while the BitCoin or Monero itself can’t get stolen, the wallet’s key is susceptible. One of the best methods to keep it safe is to encrypt it using appropriate software, such as cloud-based NordLocker.
To mitigate the risk of cryptojacking, enterprises should include it in their security training and only use authorized programs for work.
“If hackers use a website to mine a coin, the first step is to close that browser window and inform the IT staff. If it’s browser-based mining, review your extensions, update some of them, and get rid of the others. Finally, if you’re using cloud-based services, always follow the provider’s updates on the incidents regarding cryptocurrencies,” says Gurinaviciute.