Cryptomining Takes a Sinister Turn
By Sumit Bansal, Managing Director of ASEAN and Korea, Sophos
The recent Bitcoin frenzy has definitely stirred the attention of Malaysian regulators and industry players. Many organisations, especially those from the financial and services industry, have since raised their concerns on cryptocurrency security and demanded for stricter regulations to prevent criminals from abusing the system. As digital currencies quickly becoming the norm today, it calls for all relevant players to put their heads together to ensure the stability and integrity of this new financial system.
In fact, we need to act fast as we are starting to see an increasing number of cyber thieves working their way into the system. They are using cryptominers to make money by infecting websites with malicious software.
Web-based cryptominers are malware
Cryptomining is a process used to discover Bitcoin, Monero, and other such cryptocurrencies as Ethereum and Litecoin. It requires massive amounts of computer processing power, which slows down performance and leaves wear and tear.
This was not always a problem because the activity was largely limited to those who chose to do it. That began to change as cryptocurrency prices skyrocketed in recent weeks. A single Bitcoin was worth USD1,000 at the start of 2017 and was valued at around USD17,000 by year’s end.
Legitimate cryptomining programs ask users for permission to run. Malicious versions do not, instead opt to quietly leach a computer’s resources. SophosLabs is seeing more of the latter variety, with a new twist:
Instead of showing up as executable files, they take the form of scripts hidden on websites, mining for cryptocurrency in the browser. Visitors to these sites see no evidence of the mining. The only clues that something may be amiss are their computer slowing down and their fans revving up.
A clear example of this is Coinhive, a Monero miner that first appeared in mid-September. The number of sites hiding it has steadily increased in recent weeks, as cryptocurrency values have taken a wild trajectory skyward. For instance, recent visitors to a Buenos Aires Starbucks experienced a 10-second delay when they connected to the coffee shop’s “free” Wi-Fi, as their laptops’ power secretly went to mine cryptocoins.
Coinhive also works on mobile devices and over short periods, user may notice the device’s temperature increasing dramatically.
Coinhive rises with cryptocurrency values
With the value of cryptocurrencies soaring in the last couple of weeks, SophosLabs has noticed a steady rise in sites using Coinhive scripts.
Here’s what the rise of Coinhive looks like compared to rising Bitcoin (BTC) and Monero (XMR) values:
Coinhive markets itself as an alternative source of revenue to advertisements.
What to do
- Watch your CPU. Check Activity Monitor on a Mac or Task Manager on Windows. If your laptop has fans, you might hear them revving up to deal with the extra heat generated by a heavily-loaded CPU chip.
- Find out if your anti-virus detects coinmining tools. For example, Sophos products classify browser-based coinminers as PUAs (potentially unwanted applications). PUAs are not malware – they can be blocked or allowed as you choose.
- Patch promptly. Hackers who can break into your servers could add cryptomining code to leech ‘free money’ from all your website visitors, leaving you to bear the brunt of any complaints.