Date
21 October 2018
David Maciejak, director of security research at Fortinet, said hackers targeting popular illicit sites like The Pirate Bay can earn up to US$12,000 per month. Photo: Fortinet/Reuters
David Maciejak, director of security research at Fortinet, said hackers targeting popular illicit sites like The Pirate Bay can earn up to US$12,000 per month. Photo: Fortinet/Reuters

Is your computer secretly mining cryptocurrencies?

The year 2017 saw a worldwide craze over cryptocurrencies. With the meteoric surge in the prices of bitcoin and other virtual currencies, a new type of cybercrime has emerged: cryptojacking. This involves hackers who secretly use other people’s computing devices to mine cryptocurrencies (usually Monero, one of the lesser-known tokens in crypto-space.)

Several popular websites, such as The Pirate Bay, local online forum Baby Kingdom, and even Chrome Explorer extension, have been exploited by hackers to cryptojack the users’ computers. It has also been reported that the free WiFi at a Starbucks café in Argentina has been broken into for the same purpose.

The Hong Kong Economic Journal recently talked with David Maciejak, director of security research at Fortinet, the global cybersecurity solutions provider, about cryptojacking, how it works, its impacts, and what we can do to protect our computing resources. Here are excerpts from that email interview:

HKEJ: How does cryptojacking work?

A: Cryptojacking is the secret use of your computing device to mine cryptocurrency. By loading a script into your web browser that contains a unique site key, a cybercriminal can make you enrich him with cryptocurrency − without your knowledge − every time you turn on your computer and visit certain websites.

The script was written in JavaScript and is easily embeddable into any web page. Once a computer user visits such compromised pages, their computing power is hijacked for the currency mining process. The more time users spend on the web pages, the more CPU cycles can be consumed.

Q: Does the hacking technology/mining scripts only apply to a specific cryptocurrency, e.g., Monero, but not bitcoin or ethereum? Why?

A: No. Cryptojacking can capitalize on all cryptocurrencies, including Bitcoin, Ethereum, Monero, etc. The cryptoNight algorithm used by Monero is designed to be suitable for ordinary PC CPUs.

Q: Can cryptojacking be done by individual hackers? Or does it need a huge amount of computing resources from a hacker group to execute, e.g., plant scripts?

A: Cryptojacking can be done by individual hackers but need an attack vector, like what we saw these last weeks when some people posted some fake ads redirecting to cryptojacking sites on Twitter or Facebook. Once a computer user visits such compromised pages, their computing power is hijacked for the currency mining process. The more time users spend on the web pages, the more CPU cycles can be consumed. This explains why hackers typically pick illicit video streaming websites, where people stay for hours watching movies or TV serials, to plant such scripts.

Q: Is there any chance that the hacker can plant the scripts for cryptojacking via social media platforms, e.g., Facebook, Twitter, or popular websites, e.g., Reddit, Google, or even online gaming platforms?

A: Yes. FortiGuard team has found scripts being embedded in these platforms. Twitter took some actions already to block links that could redirect users to CoinHive, a company that debuted a script that could start mining the cryptocurrency Monero when a webpage loaded.

Q: Do you think hackers can also engage in cryptojacking via apps, particularly popular Apps such as Facebook, Instagram and YouTube? In general, which operating system is more vulnerable to cryptojacking via apps, Android or iOS or others?

A: Yes. Cryptojacking can be commenced via apps. Industry security researchers have found apps with malicious cryptocurrency mining capabilities on Google Play. These apps used dynamic JavaScript loading and native code injection to avoid detection. The effects on users of affected devices are clear: increased device wear and tear, reduced battery life, comparably slower performance.

Q: How about cloud services or WiFi sources? Do you think hackers can make use of them to mine cryptocurrency? How can cloud/WiFi users identify and prevent cryptojacking?

A: Yes, and it happened already. Hackers hacked a Starbucks WiFi system to load in-browser miners. On Dec. 2, 2017, a Twitter user called Noah Dinkin posted a screenshot that showed a public WiFi available at a Starbucks store in Buenos Aires, Argentina, had been hacked and edited with unusual code. Dinkin claimed the code forced a delay when he first connected to the internet there, allowing the WiFi provider to mine bitcoin using his computer’s processing power.

Q: Do you expect cryptojacking will continue to occur due to the surging cryptocurrency prices as well as the mining arms race?

A: Yes it will, but it’s not generating much money in the short term. Maybe hackers will switch to something else.

Q: Do you think cryptojacking can be developed and regulated into an experiential revenue source for online publishers/webpage owners with the user’s consent?

A: Yes, that is possible in some countries where that practice is not considered yet as a cyber attack. On the technical side, it’s already possible to configure the miner not to consume all the CPU resources.

Q: Who is doing this hacking? Can we trace the cryptojacking miners?

A: Monero is by definition secure, private and untraceable. The Monero transactions are untraceable by design, making the tracing of cryptominers almost impossible.

Q: Do you have any estimates on the size of impacted users of cryptojacking or money that hackers can earn from it?

A: Back-of-the-envelope calculations by security researchers show that cryptojacking can be lucrative – hackers targeting popular illicit sites like The Pirate Bay can earn up to US$12,000 per month.

Q: In addition to cryptojacking, what are the other cybersecurity threats/concerns confronting the public, especially those who have invested in cryptocurrency?

A: It is essential to secure your wallet as a wallet in your computer is just like any other file. Don’t let the wallets remain stored in your computer as malware can also dig into your hard drive to find and steal them. If you really want to do so, you should back up your wallet with encryption. Ideally, I would suggest not to keep your wallet at all in your computer. You could, for example, invest in a hardware wallet which is a secure USB device.

– Contact us at [email protected]

BN/CG

EJ Insight writer

EJI Weekly Newsletter

Please click here to unsubscribe