Cryptojacking – coming to a server-laptop-phone near you (and how to stop it)

If you’ve heard of cryptocurrency – and who hasn’t these days? – you’ve probably heard of “the blockchain”.

Technically, of course, the phrase the blockchain refers to any number of different blockchains – each cryptocurrency typically has its own – and we use the word in much the same way that we talk about “the weather” or “the automobile”.

Simply put, a blockchain is a digital list – an electronic ledger or transaction record, if you like – that is maintained by a community of volunteers, using cryptographic algorithms to make the ledger itself immune, or at least very highly resistant, to tampering by hackers.

A secure, community-created ledger like a blockchain doesn’t need a central authority to maintain it, because the community does that job, and it doesn’t rely any one service provider to keep it backed up securely, because everyone in the community has their own copy of it and can check it for tampering any time they like.

Blockchains, therefore, are ideal for decentralised, unregulated, largely anonymous digital cash systems such as Bitcoin and Monero.

There are a couple of catches, though.

Because the blockchain relies on consensus to decide which transactions to lock in and which to reject, you need sufficiently many community members, and sufficient diversity, that no one person or cartel controls more than 50% of the community’s decision-making power.

At the same time, you need a decision-making system that means it’s only worth participating if you play by the rules, so that any fractious minority will find it computationally too expensive to try to vandalise the system with bogus transactions that take time and effort for the majority to identify and reject.

In most blockchains, the validation algorithm is therefore deliberately designed to make it time-consuming to come up with a genuine transaction confirmation.

Usually, trillions or quadrillions of computationally expensive cryptographic calculations are needed, meaning that there are no algorithmic shortcuts – it’s all down to how much computing power you have, and how much you are willing to spend on electricity (and airconditioning!) to run your cryptocurrency computers.

To pay back the “volunteers” who perform these potentially expensive calculations, anyone who successfully confirms a new transaction – or block of transactions, thus the name blockchain – is rewarded in some way, for example via a processing fee that slices off a fraction of each of the transactions in the block and remits it to the solver as a commission payment.

Because the calculations require you to do loads of cryptographic computations, and because the rewards come from value that is essentially “dug out” of the transactions that you confirm, this process is known in the jargon as cryptomining.

You can see where this is going.

When hijacking meets mining

If I’m a cybercrook and I can hijack your computer by implanting malware, I can use your CPU for my cryptomining.

Simply put, you pay for the electricity (and you get to fry eggs on your computer, because cryptomining is hot work for your processor), while I get to steal any cryptocurrency earned by your CPU.

Combine the phrases “cryptomining” and “computer hijacking” and you get the portmanteau word cryptojacking.

Cryptocurrency values have fallen since the start of 2018 – bitcoins, for example, are down from about $20,000 each to somewhere between $6000 and $7000 – but that hasn’t been enough to make cryptojacking attacks dry up.

After all, from a cybercrook’s point of view, it’s as good as free money, so there are plenty of criminals still willing to devote themselves to cryptojacking.

There are two main way that cryptojacking is carried out these days:

  • Sneak dedicated cryptomining software into your network and leave it running all the time. Servers are especially at risk here: the crooks love them because they’re usually more powerful than desktops and laptops, and they’re usually running 24/7.
  • Sneak JavaScript cryptomining software into hacked web pages so that your browser mines for currency as you surf the web. The crooks get much less out of each victim – as soon as you leave the poisoned website, the mining stops – but a single hacked site could end up cryptojacking millions of visitors each day, whatever operating system they’re using.

As cyberthreats go, cryptojacking is often considered the best of a bad lot, given that it doesn’t try to plunder your confidential data, capture your passwords, map out your network, or violate your customers’ privacy.

In fact, it’s this data-neutral aspect of cryptojacking that makes it work even inside the sandbox of a web browser, because the cryptomining code doesn’t need to read files, log keystrokes or snoop on network traffic – all it needs is CPU power…

…and plenty of it.

Sadly, even mobile phones aren’t immune from cryptojacking, despite the fact that they’re usually less powerful than laptops (and a lot less powerful than servers) and in sleep mode most of the time.

As we mentioned above, even if the crooks extract no more than a few cents of ill-gotten gains a day, it’s as good as free money; it all adds up; and it’s not their phone battery that’s getting cooked or their battery that’s getting hammered.

Worse still, even sticking to Google Play isn’t a guarantee of avoiding apps with hidden cryptojacking features.

SophosLabs recently found a whole raft of disguised cryptojackers still available for download, even though Google itself banned cryptomining from the Play Store back in July 2018,

The apps passed themsleves off as games, utilities and educational apps, but their main purpose was to make money behind your back.

What to do?

Usually, we urge Naked Security readers to avoid Android malware by sticking to the Play Store, but that’s clearly not enough on its own.

So, whatever sort of device – phone, netbook, laptop, server – you’re looking to protect from cryptojackers, consider the following:

  • Use an anti-virus that blocks both dangerous content and risky websites. Browser-based cryptojacking relies on pulling down mining code from an external web server every time you browse, so blocking known cryptojacking sites stops the malicious JavaScript arriving in the first place.
  • Watch out for unexpected CPU load. You pay an opportunity cost for cryptomining because it typically makes your laptop runs as though it’s 10 years out of date. On a Mac, click the battery icon to see apps Using Significant Energy; on Windows, use Ctrl+Shift+Esc to bring up Task Manager.