Hijacking Computers for Cryptocurrency Mining

Interesting paper "A first look at browser-based cryptojacking":

Abstract: In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar code-bases. In this model, a user visiting a website will download a JavaScript code that executes client-side in her browser, mines a cryptocurrency, typically without her consent or knowledge, and pays out the seigniorage to the website. Websites may consciously employ this as an alternative or to supplement advertisement revenue, may offer premium content in exchange for mining, or may be unwittingly serving the code as a result of a breach (in which case the seigniorage is collected by the attacker). The cryptocurrency Monero is preferred seemingly for its unfriendliness to large-scale ASIC mining that would drive browser-based efforts out of the market, as well as for its purported privacy features. In this paper, we survey this landscape, conduct some measurements to establish its prevalence and profitability, outline an ethical framework for considering whether it should be classified as an attack or business opportunity, and make suggestions for the detection, mitigation and/or prevention of browser-based mining for non-consenting users.

Posted on March 21, 2018 at 6:27 AM • 33 Comments

Comments

GrauhutMarch 21, 2018 8:08 AM

I wouldn't call this hijacking, since these scripts only run if someone allowed js running in an opened browser window. The owner of that system and browser allowed execution of js software from unknown sources on loading a page on it.

May sound hard, but thats the way it is.

If this is hijacking, placing tracking bugs mining user behaviour without consent on a web page is also hijacking.

LeftyAceMarch 21, 2018 8:45 AM

Grauhut, it's still hijacking, the same way taking over an aircraft is hijacking regardless of whether or not the cockpit was locked.

Sven March 21, 2018 8:47 AM

I would love to see this adopted by all websites that currently make money from tracking, advertising, and surveillance. I'd much rather pay for web content with electricity and cpu time than with my personal information. And the amount you contribute is proportional to the amount of time you spend on the site.

Does anyone know if this is at all economically feasible vs advertising?

cowbertMarch 21, 2018 8:52 AM

I frequently consult for fortune 500 companies on big data and I have not yet seen a sane browser-originated malware policy yet. All of these enterprise desktop provisioning processes repackage their browsers, with many of them even including Chrome, but they never either whitelist or ship the browser with an ad blocker.

At the same time, these companies have all bought and implemented traffic sniffing firewalls at their perimeter, usually either a Barracuda or Zscaler product and yet, either these products do not implement adserver blocklists or these companies have neither bought these modules (if I were either of these cybersecurity manufacturers, I could make a killing doing this), nor enabled this functionality.

Of course, this doesn't stop the same enterprise from buying and using ProofPoint URL rewriting software for email phishing mitigation nor piling on "endpoint protection" software on the (usually Windows) OS that ends up consuming the same amount of CPU for "realtime process inspection" that a browser miner would have consumed and is unable to mitigate the browser miner anyway.

GrauhutMarch 21, 2018 9:11 AM

@LeftyAce "Grauhut, it's still hijacking, the same way taking over an aircraft is hijacking regardless of whether or not the cockpit was locked."

Are you really using a single threaded single user os for web browsing? :)

If you want to compare this to aircraft, js cryptominig is more like putting another cargo container on board of a cargo plane that still flies to its planned destination.

HiTechHiTouchMarch 21, 2018 9:36 AM

Slate magazine is openly doing this.

Went to read an article the other day and they put up a big screen saying "if you want to read, then allow us to use you computer to mine while you do so".

Stuart LynneMarch 21, 2018 10:59 AM

How long until the RansomWare attacks convert to simply using cyrptocurrency mining as an alternative to paying the ransom.

Once the system is hijacked, it will put up the number of coins needed to ransom the system, with that being decremented by local mining efforts. If the system gets to zero by mining or by being paid off it unlocks.

That would eliminate the need for some people to figure out how to buy and submit coins. That would increase the revenue stream for the ransomware attackers.

(required)March 21, 2018 12:08 PM

"If you want to compare this to aircraft, js cryptominig is more like putting another cargo container on board of a cargo plane that still flies to its planned destination."

Without permission or even an expectation, without knowing WHAT that cargo ACTUALLY is.
And there's really no reason to expect only a single low-churn instance of it either.

If you're allowing them to put one box on board without actual consent why not 100?
Why not allow them to install a permanent backdoor since you don't seem to mind?

justinacolmenaMarch 21, 2018 12:51 PM

... a user visiting a website will download a JavaScript code that executes client-side in her browser, mines a cryptocurrency, typically without her consent or knowledge, and pays out the seigniorage to the website.

Not much you can do about that, as long as advertisers and "content providers" insist on the right to run said arbitrary JavaScript code in the user's browser. The attitude persists, on the part of such media and advertising companies, that they are providing a "service" by displaying some content or information for the user's view, and somehow the "consumer" is obligate to pay for that service somehow.

At the same time, Big Media and Big Marketing do not wish to hide their aforementioned "content" behind an explicit "pay wall" — because then the "sale" would then fall through if the consumer knew what she was being forced to pay for her access to the "content" being served to her.

As a consequence, "consumers" require several defenses to browse the web safely these days.

  • Use a good ad blocker.
  • Disable JavaScript on untrusted websites.
  • Block third-party cookies.
  • Refuse persistent HTML5 and Flash local storage.
  • Treat all cookies as session cookies.
  • ...

Do you people ever read the news on the Web? Do you even remember the good old days of news in print when it was considered rude if someone looked over your shoulder when you were reading the newspaper? In those days you had a choice: read the free weekly, or put a quarter or two in the machine for the Seattle Post or the New York Times or whatnot. It was on the honor system, and no one looked over your shoulder when you read YOUR paper, either. And if you even so much as checked your oil at the local service station, you were offered a free cup of coffee, not charged $5.00+ for a "blonde" latte or something like that.

I've had it with "micro-transactions" and all the nickel-and-diming on the web. I already have to PAY by the gigabyte for all the ads that I "view," whether or not I choose to buy their stuff. They need to back off already and give me my space.

(required)March 21, 2018 1:17 PM

@Wendy - Yep.

@Justina

Unfortunately like Facebook or anything else there are enough happy fools to validate these campaigns and ensure they propagate and become a new norm of re-undermining individual expectations of control.

Garret FrankMarch 21, 2018 2:05 PM

Stuart:

The ransomware model doesn't apply to cryptocurrency malware. A ransomware scenario allows the user to decide whether their data is worth sitting and staring at an unusable device for the indefinite amount of time required to get to a particular coin count, while garden variety undetected cryptocurrency malware infestation just continues mining forever without significant risk of the user doing anything that will interrupt the revenue stream.

Who?March 21, 2018 2:25 PM

Open your favourite performance measurement tool, let us say top(1), in a BSD or Linux operating system, go to google.com and do nothing. Just listen to the tool. Look how CPU load increases up to 30%, temperature gets higher, fans run faster... What is Google running on our computers? Why?

They are hijacking our computers to run some mining software. Are we, perhaps, doing the work that should be done on their datacenters?

randomuunrelatedvictimstanceMarch 21, 2018 2:31 PM

"Only females dare to not default to a female hypothetical user."

Yeah, play the gender victim... that's related. Or you could just get over it (like a male might do)

ThunderbirdMarch 21, 2018 2:50 PM

The problem with content (by which I mean actual information or entertainment) is that it costs money to produce, which means it has to generate some kind of payment. This client-side-mining thing is just a weird way of (poorly) implementing micropayments (or alternately, a way for criminals to cut themselves a slice of your CPU salami).

It should be easy to come up a mechanism to slow selected javascript reducing the client-side cost to near zero, so the browser folks will probably do that. That will be countered by disguising the mining code as "useful" code. Rinse, repeat.

Mochtroid-XMarch 21, 2018 3:12 PM

@Who?

I did what you said with and without blocking enabled yet Firefox is only peaking at 9% CPU and not even for a second.

justinacolmenaMarch 21, 2018 5:03 PM

@SomeoneRandom: Her? I thought 'user' is gender neutral.
@MoreRandom: Absolutely focus on grammar. Do agree though, the compulsive need to placate is going too far these days. Only females dare to not default to a female hypothetical user.

Translation: Get out of our man cave! Back to the kitchen!

God, I need knives and guns and everything to fight back against these guys!

Because my computer is not your man cave.

Who?March 21, 2018 5:31 PM

@ Mochtroid-X

It happens on all my computers (OpenBSD, most of them, FreeBSD, Gentoo, CentOS and Ubuntu). CPU load increases from 20 up to 30 percent as soon as I open google.com and remains high until I close the tab with Google's search engine main page. It happened for months.

Perhaps it depends on the browser, all these machines run Firefox (some are quantum releases, others are pre-quantum).

Who?March 21, 2018 5:41 PM

I pressed "Submit" too early.

...all these machines run different versions of Firefox, with a somewhat secure configuration (incognito mode by default, allowing cookies (expect for third parties) and clearing them when closing the browser, javascript disabled, disk cache disabled, tracking protection enabled...)

GrauhutMarch 21, 2018 7:19 PM

@Wendy: "IMO both your examples are hijacking."

Kind of.

Attached a list of Hijackers the WaPo presstitutes try to sell my data to:

amazon-adsystem.com
2
c.amazon-adsystem.com
1
chartbeat.com
static.chartbeat.com
1
effectivemeasure.net
me-ssl.effectivemeasure.net
1
go-mpulse.net
c.go-mpulse.net
1
googletagservices.com
www.googletagservices.com
1
indexww.com
js-sec.indexww.com
1
krxd.net
cdn.krxd.net
1
newrelic.com
js-agent.newrelic.com
1
outbrain.com
amplifypixel.outbrain.com
1
scorecardresearch.com
sb.scorecardresearch.com
1


GrauhutMarch 21, 2018 7:29 PM

@(required): "If you're allowing them to put one box on board without actual consent why not 100? Why not allow them to install a permanent backdoor since you don't seem to mind?"

Do i really have to add /sarc tags? :D

If i want to be sold 100 times i just open a typical presstitute page without a hardened browser environment.

But such things don't happen in my regular workspace software world, its all blocked there. I just did my security homework.

(required)March 21, 2018 9:57 PM

Sarcasm implies people know you're of sound mind generally. You need that requisite.

I don't know you.

meMarch 22, 2018 9:03 AM

@Who
That's known Firefox / Google bug that's been around for a long time:

"Hidden CSS animated spinner causes high CPU load on Google search pages if not logged in"; bugzilla 1218169

Google sucks, because they could easily fix this and simply don't care. Mozilla / Firefox sucks, because it's using huge amounts of CPU doing nothing. Any kind of animation is extremely wasteful in CPU usage.

Mochtroid-XMarch 22, 2018 9:24 AM

@Who?

I have a similar setup but with the HTTPS Everywhere/Privacy Badger/Ublock Origin addons. I usually watch Firefox's resource usage anyway, since Windows 98 and having to get that bugger to comfortably fit in 512mb. I can't honestly be sure it's a bug like @me says because Firefox has always been awful at these things.

Oh reallyMarch 22, 2018 12:35 PM

" I just did my security homework. "

Oh wow, you installed an adblocker. Congratulations.

Who?March 22, 2018 5:08 PM

@ Mochtroid-X, me

I did not know about this error. I'm glad to see that Google is not trying to use our computing power to help them undermine the privacy of the world.

We can see this one not as a bug but as a feature that helps us checking we are not logged into Google when doing a search. I have not a Google account right now but I had one years ago. My goal is not helping them make a profile about me to sell to anyone willing to pay for it.

Thanks! It is nice to know this CPU load is not a consequence of running some unwanted code on our computers.

RealFakeNewsMarch 24, 2018 12:37 AM

@LeftyAce:

@Grauhut, it's still hijacking, the same way taking over an aircraft is hijacking regardless of whether or not the cockpit was locked.

It doesn't "take over" though - it just steals what would be idle CPU cycles. At worst, it increases your power consumption, so in that way it is stealing your CPU time and electricity.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.