How to Prevent Web Browsers from Cryptojacking

Finjan TeamBlog, Cybersecurity

Finjan How to Prevent Web Browsers from Cryptojacking

In what’s become a worrying and growing trend, private and corporate web browsers are increasingly being co-opted as tools for generating cryptocurrency, via a process known as cryptojacking.

This trend comes in response to the massive growth of cryptocurrencies – digital units of exchange that use encryption and blockchain technology to authenticate currency owners and validate transactions. The sometimes ridiculously high market valuations of cryptocurrencies like Bitcoin, Ethereum, and Monero have fueled a volatile boom that’s got existing and potential traders looking for any and all means to acquire cryptocurrency – including deceptive methods like this.

What is Cryptojacking?

Cryptojacking is a technique which allows websites or external actors to hijack the system resources of remote computer users, for the purpose of generating or mining cryptocurrency. These resources include electricity and processing power – both of which may easily be had from the central processing unit (CPU), graphics processing unit (GPU), and internal hardware of desktop and mobile devices.

A top of the line cryptocurrency like Bitcoin requires vast amounts of electricity and computing power to mine currency units via the solution of extremely complex mathematical equations. So Bitcoin operations tend to be the reserve of large networks which can readily assemble the hardware and generating capacity that’s needed for the job.

But even second-tier cryptocurrencies like Monero and Ethereum require substantial resources to mine – resources that may not be available to the typical operator at this level. Cryptojacking can bring such resources within their reach. Which is why this technique has been gaining in popularity.

Technically, it’s not actually illegal in many jurisdictions. In fact, a number of websites (most notably, the torrenting platform Pirate Bay) have been using this method as an alternative to on-site advertising, to generate revenue. This comes in response to the growing trend among users to employ ad blockers and Virtual Private Network (VPN) software, to frustrate the efforts of location trackers and promotional targeting.

The main objection to these so-called “legitimate” schemes is the same as the issue with malicious attacks: The cryptojacking scripts are run without the user/victim’s full knowledge of or consent to what’s actually going on. Typically, there are no clear mechanisms for opting out (or even for actively opting in), and no controls for setting or metering how much of the user’s system resources are being given over to the site or attacker’s efforts.

How Web Browsers Can Be Used in Cryptojacking

Cryptojacking is usually accomplished via either of two mechanisms. In the first, the victim is lured into clicking on a malicious link contained in an email or message, by standard techniques such as phishing or social engineering scams. The link will cause a malware payload containing the code to be downloaded and installed on the user’s system.

Malicious advertising (or “malvertising”) panels containing cryptojacking scripts, or the direct injection of code into web pages may be used in the second mechanism, which enables the illicit operators to extend their traps across multiple websites. There’s no need for any code to be stored on the victim’s computer because the script runs automatically within their web browser once an infected ad pops up, or they visit one of the infected websites.

Most of these browser-based attacks exploit JavaScript, which is widely used across the web, and often allowed to run automatically in people’s web browsers by default. The Coinhive JavaScript miner, which is used for legitimate cryptocurrency mining activity on certain websites, is publicly distributed. And the independent cryptojacking scripts are either straightforward to code, or freely available to acquire from the Dark Web.

For this reason, it’s been possible for crypto jacking operators to create and distribute web browser extensions laced with crypto jacking code, which can extend their influence to potentially millions of systems running popular web browsers.

As an example, a variety of the Facexworm malware which targets cryptocurrency exchanges is also capable of delivering cryptomining code. This package has been discovered in an extension for Google Chrome web browsers that uses Facebook Messenger to infect a victim’s computer.

The Scale of the Problem

Studies conducted by independent security researcher Willem de Groot in late 2017 revealed some 2,496 individual websites which were running a crypto-mining / crypto jacking script. Around the same time, security researcher Gabriel Cirlig discovered two apps on the Google Play Store (with a combined 15 million downloads between them) which housed crypto-jacking code.

And the use of crypto jacking code in web browsers and malware attacks is a growing problem. Statistics from security firm McAfee Labs noted a 629% rise in the total usage of coin mining malware in the first quarter of 2018 alone. The USA accounts for around 32% of all attempted crypto jacking traffic, with Spain, France, Italy, and Canada following its lead.

In January 2018, researchers discovered the Smominru cryptomining botnet, which infected over half a million systems, mainly in Russia, India, and Taiwan. The attack targeted Windows web servers to mine Monero and netted an estimated $3.6 million in revenue for the attackers. This was in a market where complete crypto jacking kits can be had on the Dark Web for as little as $30, and illustrates the “low risk, high gain” nature of the crypto jacking strategy.

Preventing Cryptojacking in Web Browsers

One of the reasons why cryptojacking has been making the news but hasn’t excited any great sense of urgency at high levels is that – on all but the lowest powered systems – the technique doesn’t cause lasting damage to the victim’s machine, or compromise any of their data and programs. The success of a cryptojacking scheme depends on stealth, with the code running in the background, and the victim pretty much unaware of its presence or activity.

That said, more intensive and ruthless cryptojacking campaigns can put a strain on battery-powered devices and ultimately reduce the life of the hardware. At corporate levels, the compromise of several systems within an enterprise can reduce network performance and availability.

And from an ethical standpoint, the perpetrators of cryptojacking attacks really shouldn’t be allowed to get away Scot free.

There are several measures which may be called upon to help prevent cryptojacking in web browsers and networked applications. These include:

  • Install ad-blockers or anti-cryptomining extensions on web browsers: There are a number of such extensions available for various platforms. For example, No Coin for Google Chrome or Firefox, and MinerBlock for Chrome attempt to block connections that match with known cryptojackers. Ad blockers may be configured to block known and newly identified cryptojacking domains.
  • Use ad filters to block Coinhive on the Opera web browser: This feature exists in Opera 50 and later releases, and is found under the “Block ads” option of the Settings menu.
  • Use script blocking extensions to neutralize JavaScript: Examples include ScriptSafe for Chrome and Firefox (which warns you before scripts can be run), and NoScript for Mozilla (Firefox and its derivatives). Note that disabling JavaScript entirely can cripple the functionality of many websites, so use these tools with caution.
  • Close infected browser tabs: If a sudden and sustained spike occurs in CPU activity (as noted by your operating system’s process monitor, or a dedicated system monitoring utility), closing the browser tab or window that’s responsible will halt the attack – so long as the cryptojacking script is web-based, and hasn’t installed malware on your machine.
  • Set up “kill” protocols for web-delivered cryptojacking scripts: This is a follow-on from the previous point, which requires network administrators to note website URLs or extensions to web browsers from which scripts originate, and update network web filters to block them in future.
  • Monitor your devices, networks, and resources: Monitoring should look out for abnormal increases in hardware activity (CPU, GPU, dwindling system resources, rising temperatures, etc.), and protocols should be in place to isolate any problem devices or processes that are identified. This approach should cover both on-site installations and any cloud infrastructure you may have.
  • Consider using cloud-based web browsers: These run off-site and isolated in the cloud, with centrally managed and monitored security measures that may be superior to those that can be provided by you, or your organization.
  • Include cryptojacking in corporate security awareness training: This should include making employees aware of the warning signs that indicate a cryptojacking attack (increase in system CPU usage, slowing down of application responses, heating of devices, etc.), as well as knowledge of desirable and unwanted extensions for web browsers, and email / anti-phishing protocols to guard against two-pronged attacks that exploit web browsers and attempt to get users to allow the installation of malware.

Finally, you should update your antivirus software, or upgrade to an anti-malware solution that scans your web browsers and net-connected applications periodically and in real time, for signs of cryptojacking activity or infection.

Share this Post

Finjan How to Prevent Web Browsers from Cryptojacking
Article Name
Cryptojacking | Is Your Web Browser Being Used to Generate Bitcoin?
In a growing trend, private and corporate web browsers are increasingly being co-opted as tools for generating cryptocurrency (aka cryptojacking).
Publisher Name
Publisher Logo