Cyber Criminals Organizing ‘Drive-By’ Coin Harvests

Cryptocurrency mining appears to be a new tactic for cyber thieves.

To envision this picture nineteenth century California, chisels, elbow grease and some spotty gold. Now, reimagine this for the digital age – with Bitcoin, web browsers, JavaScript and computing power. They’re one and the same, essentially.

The practice of “cryptojacking” is gaining momentum with persistent thieves. While digital coin mining is a legal activity, cyber criminals have tailored their efforts to include malware injection for purposes of theft.

Cyber criminals are taking advantage of technology initially introduced by places like Coinhive, to cash in on coins based on browser activity. This goes unseen by website users and operators, according to Dark Reading.

The criminals’ payday comes only after massive chunks of computing power are used to process complex algorithms – which then churn out cryptocurrencies like Bitcoin and Monero.

Using a JavaScript library, cyber criminals initiate “drive-by” heists on browsers. This can be widespread when these thieves hone in on highly trafficked sites, too.

As Bitcoin was introduced to the world, illegal ways to exploit the technology were introduced shortly thereafter, circa 2011. Until about 2016, the thieves targeted users’ devices to hijack their compute power – brought on by phishing attempts for malware drops. At that point, the harvesting was nearly underway – the mathematical processes began and the digital currency flowed.

See related: Incident Of The Week: 'Silence' Trojan Records Financial Info

Enter Coinhive in 2016, which introduced a JavaScript-based service to mine the currency. Site operators harnessed users’ CPU power to obtain Monero. Because there were loopholes – namely in users being unaware of the harvesting – Coinhive released a new application programming interface (API) to seek permission for the act.

But they had set the stage for hackers who were looking to fill their pockets. They used Coinhive’s technology and inserted the API into websites like WordPress and Magento. There was no consent from the various operators, according to research from Malwarebytes.

On larger sites, once malware is injected – via the insertion of a few lines of JavaScript – any visitor is prompted to run the script, which initiates the coin mining. When users exit the websites, however, the thieves lose their hold over the CPU power. That’s why larger sites were targeted, where users stayed for an extended period of time.

See related: Incident Of The Week: Research Reports Hacked At Forrester

As for enterprise security, this illicit coin mining does not quite pose the utmost, immediate threat, because the targets seem quite arbitrary. But those charged with network security should certainly be aware of the practice and block any outside attempt.

In Malwarebytes’ research, Lead Malware Intelligence Analyst, Jerome Segura, wrote, “Coinhive is the first to admit its surprise at how quickly their project has taken off. While they had a part to play in the misuse of their technology, the same could be said for website owners that kept things on the down low, rather than notifying their visitors about this new monetization tool.”

“In the end, the future success of web-based mining as a business model will be based on honest communication with users and the almost mandatory opt-in, which is the main characteristic that differentiates it from drive-by mining,” Segura wrote. “However, the same kind of abuse we have witnessed over the years with ads (i.e., malvertising) has already manifested itself and is perpetrated by dubious website owners or criminals.”

The analyst said that trust can only be gained with transparency as these technologies progress – and ultimately pose new or different threats to the enterprise.