Study Reveals Growing Sophistication in Malicious Mining of Cryptocurrency
Several Chinese researchers from Fudan University, Tsinghua University and the University of California Riverside have produced the first systematic study of the malicious mining of cryptocurrencies, known as cryptojacking, unveiling increasing complexity over time. And it doesn't seem as if this trend will die down anytime soon.
What Is Cryptojacking?
Cryptojacking has asserted itself in the cybersphere as the valuation of the cryptocurrency sector soared over the past 18 months and refers to where a hacker hijacks the processing power of a computer to mine cryptocurrency on the hacker’s behalf. AdGuard reported in November 2017 that over 220 cryptojacking websites were found among the top 100,000 websites according to Alexa. And this trend is not likely to die down anytime soon.
As reported by Bitcoin Magazine in March 2018, the U.K.’s National Cyber Security Centre stated that “... it is likely in 2018-19 that one of the main threats will be a newer technique of mining cryptocurrency which exploits visitors to a website.”
The phrase “cryptojacking” burst onto the scene when it was found out that The Pirate Bay was experimenting with Coinhive in September 2017 to see if the non-profit could generate more revenue through its website. Coinhive allows you to add a script to a webpage and mine the cryptocurrency Monero (XMR) by utilizing a visitor’s processing power.
But the admins of The Pirate Bay mistakenly configured the settings to use a visitor’s entire processing power without their consent, which led to an explosion of abuse of the Coinhive service. Even though altruistic goals can be achieved using in-browser mining, as evidenced by UNICEF’s “Hope Page,” it has been increasingly utilized for nefarious purposes, with pressure mounting on services such as Coinhive to make it less attractive to cybercriminals.
Hackers can also capitalize off of a website’s weak security measures by dropping scripts into web pages to mine cryptocurrency, like what happened with the website of U.S. television program Showtime in September 2017. A recent research paper has highlighted that, even though many cases have popped up, cryptojacking may be even more prevalent than we think.
Existing Identification Techniques Only Scratch the Surface
First, the study examines the extent of cryptojacking, which has never been fully measured due to the arbitrary nature of surveying the cybersphere for this type of malicious attack. The research notes that existing approaches make assumptions that cryptojacking web pages exhausts the user’s CPU resources or contains keywords as malicious payload signatures, and it was noted that many counterexamples were discovered.
By targeting regular, repeated, hash-based computations with a cryptojacking detector called CMTracker for over 850,000 websites, the study was able to provide a more complete picture of what is really happening and noted that 53.9 percent of the identified samples would not have been uncovered by existing cryptojacking surveying approaches based on blacklists, which are both incomplete and inaccurate. Additionally, the results from CMTracker were vetted manually.
But how does CMTracker work and how did it manage to find nearly three times as many cryptojacking domains as the most recent reports? Two behavior-based profilers are used, one to detect automated mining scripts, known as the hash-based profiler, and one to monitor the calling stack of a website, known as the stack-structure based profiler. For the hash-based profiler, if a website uses more than 10 percent of its execution time on hashing, it is reported as a cryptocurrency miner.
The idea for the stack-structure profiler goes something like this: Mining tasks will not take place as the user is loading the page; rather, one or more dedicated threads are created since mining cryptocurrency comes with a heavy workload. If hackers use code obfuscation techniques to evade hash-based profiling, then the repeated behavioral patterns of the miner’s execution stack can be used to identify cryptocurrency miners.
The stack depth and call chain of mining scripts are repeated and regular. By observing whether a dedicated thread repeats its call chain periodically and whether the call chain occupies more than 30 percent of the whole execution time in this thread, a cryptocurrency miner is reported to be present. Along with the condition for a hash-based profiler, these two thresholds are the lower bounds from cryptojacking in the real world.
The final check is made manually, looking at the terms of service of each website to see if there is any user agreement that makes it clear to the user or implicit in their agreement that their processing power is being used for cryptocurrency mining while visiting the website. The study found that only 35 websites were “benign,” with implicit agreement being sought from users.
When evaluating the performance of CMTracker, the researchers chose a subset of 200 websites from the sample to manually check if cryptocurrency mining scripts were indeed running on the website in question and found no false positives. While the paper acknowledges that some cryptojacking websites may have evaded CMTracker, “... neither we nor other publicly available reports showed any evidence of real cases that can escape CMTracker’s two behavior-based detector.”
How Rampant Is the Cryptojacking Problem?
Among all the top 100,000 sites according to the Alexa rankings, the CMTracker found 868 unique domains that contain cryptojacking and on a further evaluation of external links, including 548,264 distinct domains from the top 100,000 Alexa ranked websites, found a total of 2,700 cryptojacking sites.
As compared with previous reports, the situation is getting worse over time, illustrated by the table from the study below. Observed cryptojacking activities have increased 260 percent in just five months from November 2017 to April 2018.
A 260% increase in observed cryptojacking from Nov. 2017 to Apr. 2018
The websites most affected are those related to adult content, art and entertainment; this makes sense, as most websites in these categories provide pirated sources, so users spend an extended amount of time searching for a particular movie, episode or video, which translates into higher profits for attackers. As more time is spent on the site, more processing power is committed to mine cryptocurrency.
Using a basic approximation technique based on the difficulty of mining Monero, as well as its block reward and price, the study estimated that hackers could gain $1.7 million from more than 10 million users per month.
In terms of global energy consumption, since the victims of cryptojacking are forced to consume more electricity, it costs more than 278,000 kWh extra units of power daily, enough energy to power a small American town with around 9,000 people. Using that annexed power, attackers are thought to make, collectively, around $59,000 per day.
The Main Players in the Cryptojacking Game
Who is responsible for cryptojacking? The study also investigates the players, and the figure below shows a real-world example of the interaction between each of these players. By using the distribution of different mining participants from a random subsection of their sample, some answers are provided.
The cryptojacking process visualized and the players involved
Most participant domains occur in no more than three malicious samples, and only a small percentage of mining pools, mining distributors or miner deployers are found in more than 10 web pages. The results suggest that blacklists may be ineffective as malicious miners are not centrally controlled.
Another key result is that advertisers and mining services are mostly linked to cryptojacking websites. For instance, it notes a trend of advertisers turning to malicious mining, citing zenoviaexchange.com, a service similar to Coinhive, as an example of a former advertising service provider that’s now a miner.
Also, by studying the distribution of wallet IDs associated with mining scripts and finding that a given wallet ID is commonly associated with less than three malicious web pages, the data leads to the conclusion that many different actors benefit from abusing cryptocurrency mining services.
To better understand the dynamics of cryptojacking, the research also sheds some light on the life cycle of malicious miners. Around 20 percent of the miner deployer’s domains that are cryptojacking pages in the sample disappear in under nine days, but distributors migrate to newer domains at a lower rate. the study points out that “Interestingly, blacklists do not target distributor domains even though they rarely change.”
Life cycles of cryptojacking domains; miner deployers, distributors and mining pools
Evasion can also mean something more than simply migrating to a new domain. The study finds that, out of 100 cryptojacking sites in the sample, there were 56 instances limiting CPU usage, 43 instances of payload hiding and 26 instances of code obfuscation. For instance, a pirate streaming site can take 30 percent CPU for the video and only 10 percent of CPU for mining, making it difficult for the user to notice.
Two examples highlighted in the study illustrate the increasing sophistication of cryptojacking activities. Firstly, cryptojacking may occur through code obfuscation, where the malicious mining code is hidden or buried in the code.
Another notable technique used by some cryptojacking domains involves utilizing two different mining services, for example Coinhive and Crypto-Loot. In case either of the mining deployers are blocked by Ad Blockers or are shut down, the cryptojacking domain is resistant to any failure in either Coinhive or Crypto-Loot, in case either are blacklisted.
Protection and Mitigation Measures for Cryptojacking
Given that cryptojacking participants can use more sophisticated means to evade detection, it begs the question of whether browser extensions or anti-virus programs can protect users from this sort of cyber theft. The researchers suggest that most protective measures are based on blacklists and then go on to evaluate the effectiveness of two of the most widely used blacklists in a 15-day experiment: NoCoin and MinerBlock.
The results show that less than 51 percent of malicious attacks are detected, and — due to the fact that blacklists are updated every 10 to 20 days, as compared to nine or less for mining deployers — this divergence means that the malicious actors are always one step ahead, as cryptojacking domains migrate or vanish at a higher rate. As a result, the detection rate does not increase, even though coverage does.
To effectively combat cryptojacking, the researchers propose a behavior-based approach to detection, which can then be implemented by browser extensions and anti-virus engines. As indicated by the experiments, it takes three seconds for the CMTracker to analyze a web page for cryptojacking and, when combined with a whitelist for those websites having explicit reference to the donation of processing power in the user terms of service, could effectively reduce malicious mining.
These researchers also point to cryptocurrency mining services as having paid inadequate attention to the abuse of their services; mining scripts are run without user notification and users cannot turn off these scripts. Consequently, they propose that the mining services like Coinhive, which powers half of all cryptojacking domains, should shoulder some of the responsibility. Mining services could do this by implementing a pop-up window or something similar to notify the user, allow them to deny the request and disable the mining process.
At present, there is an implementation of Coinhive called AuthedMine that is an opt-in version. As highlighted by Krebs on Security in March 2018, it is hardly used, which Coinhive has blamed on anti-malware companies. “They identify our opt-in version as a threat and block it,” Coinhive told Krebs on Security. “Why would anyone use AuthedMine if it’s blocked just as our original implementation?”
Bitcoin Magazine contacted Coinhive via email with regards to the research paper and whether their service will be modified but, at the time of writing, no response has been received.
To facilitate further research of cryptojacking, the research team plans to release the source code of CMTracker on GitHub, as well as on the cryptojacking websites list.
The full paper “How You Get Shot in the Back: A Systematical Study of Cryptojacking in the Real World” can be found here. The paper will be presented at the 2018 ACM SIGSAC Conference on Computer and Communications Security in Toronto, Canada, taking place October 15-19, 2018.