Cryptojacking cyberattacks: Is the end now in sight?

For some crooks, sneaky cryptocurrency mining may not be lucrative enough anymore. The question is, where do they go next?
Written by Danny Palmer, Senior Writer

The operators of Coinhive, the in-browser miner for Monero cryptocurrency, announced in a blog post last month that it was to shut down, saying that the project just wasn't economically viable anymore.

The initial idea behind Coinhive was that it could become a replacement for the ubiquitous banner ads on websites; instead of making money from displaying ads, websites could use the Coinhive code to generate cryptocurrency by borrowing some of the processing power of the PCs that visited the sites.  

The closure of Coinhive is something of a blow to in-browser cryptocurrency miners focusing their efforts on Monero, which has risen to become one of the major 'alt-coin' alternatives to Bitcoin. The make-up of the cryptocurrency means that unlike Bitcoin, it doesn't need a specialised set-up to mine for coins, allowing normal computers to do the hard work.

But the relative simplicity of mining Monero this way had also attracted the attention of malicious users. Cyber criminals realised they could take Coinhive code and covertly deploy it on websites, ordering it to exploit the processing power of visitors' machines to mine for Monero, with the proceeds channelled into a wallet owned by the attacker, with the visitor — and the website — likely unaware their machine has been exploited to fund criminal operations.

These cryptojacking attacks became so popular that Coinhive rose to become the most common form of software distributed for malicious purposes, with almost five percent of all Monero thought to have been mined by malicious botnets.

The cryptocurrency also comes with an additional benefit for hackers — Monero is highly anonymised, making users difficult to identify and leading to it being used as the main form of payment on a number of underground forums popular with cyber criminals.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Coinhive may not have been conceived as a malicious tool, but now it's being shut down, it's going to cut off one of the most common methods attackers use to illicitly make Monero. So does this reflect broader changes it the world of cryptojacking?

"Coinhive accounts for around 60 percent of the cryptojacking market — which means there are 40 percent which are others already in use, so we'll probably see a spike in those," says Chris Dawson, threat intelligence lead at security company Proofpoint.

Other mining services like XMRig could rise up and take the place of Coinhive, or there could be a new entry into the market, looking to mine an alternative alt-coin like Litecoin or Ethereum.

"We'll certainly see a shift to other cryptojacking technologies, using whatever the flavour of the day is in the desktop mineable cryptocurrency," Dawson adds.

It's also possible that Coinhive itself could still remain active in some capacity — versions of it have previously been posted to open-source sharing communities, meaning that there's potential for someone else to come along and start providing the service once again.

"Many of the tools and services used in cryptojacking operations — including CoinHive — are open-sourced and available on the open internet, thus allowing for anyone with a criminal motivation to take those tools, re-purpose them, and use them in ways other than intended," says Randi Eitzman, senior threat pursuit analyst at FireEye.

"The actual coins being mined and scripts being used may change over time, but the act of theft for criminal profit will remain," she adds.

While the value of cryptcurrency has fallen rapidly in the last year or two, Monero is still a highly popular choice — especially among cyber criminals — and that means they'll continue to look for new ways to acquire it.

"Although Monero is losing value, and the forks leave users uncertain about its future, the currency still provides anonymity — the main reason why it has become so popular among cyber criminals," says Lotem Finkelstein, threat intelligence group manager at Check Point.

SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

However, for some crooks the shifting economics of cryptocurrencies may make it time to change; in particular the more technically savvy attackers could switch their campaigns to something potentially far more damaging, such as data-stealing trojan malware or network-encrypting ransomware.

"Mining was an easy add on. Now we're seeing a shift away from that towards banking trojans, credential stealers, pieces of malware which sit on machines," says Dawson.

"There's continued ebb and flow of the malware we're seeing and things like EternalBlue are out there and until we're robustly patching, we're going to continue to see threat actors trying to exploit that," he adds.

But for some cyber attackers, the simplicity of cryptojacking is what makes it appealing — there's little to no chance of being caught, let alone arrested and even if very little is being made, it's still free cryptocurrency for the attacker. And despite Coinhive's sudden inactivity, that's always going to be appealing to cyber criminals.

"Based on our knowledge of underground actors and the tools and techniques used by financially motivated ones, this is likely a blip on the radar when considering the overall history of cryptojacking operations," says Eitzman.


Editorial standards