Cryptojacking instances in Australia are on the rise

​by Seth Goldhammer, Director of Product Marketing, LogRhythm​

One weekend in February, prominent government websites from around the world began triggering alerts in users’ anti-virus.

State government websites including from Queensland and Victoria were among those impacted, although timezones sheltered Australians from the worst of the issues.

The culprit would wind up being a third party software library incorporated into all of the impacted sites. A single hosted script file in the library was compromised to mine the Monero cryptocurrency on any page it was loaded into.

Thus governments got a taste of cryptojacking, where cryptocurrency miners are run in the background of sites, without the site owner’s permission, to generate virtual coins that can later be exchanged for fiat.

Rather than target each individual government site, those behind the February attack targeted a common element each site shared, thus improving their chances of financial success.

“If you want to load a crypto miner on 1,000+ websites you don't attack 1,000+ websites, you attack the 1 website that they all load content from,” security researcher Scott Helme said. “In this case it turned out that Text Help, an assistive technology provider, had been compromised.”

Various services, such as Coinhive, CoinImp, Coinpot, and others allow you to mine cryptocurrency - usually Monero - by simply visiting a webpage

Monero is favoured because, unlike Bitcoin, it requires less compute to mine - making it possible to make use of a desktop computer, rather than specialist or large clusters of hardware. Monero also offers complete anonymity.

Cryptojacking applications often don’t have a high return on investment (ROI). This is partly because a portion of the mining proceeds goes to the overarching script owner. In addition, cryptocurrency values are down generally since interest in virtual coins peaked at the end of 2017.

However, cryptojacking still offers a quick and easy way to mine cryptocurrency without the need to install anything on the target system.

This works particularly well if you can get a large number of systems to visit a website or download a piece of infected code and mine on your behalf, as occurred in the government infection. Coinhive is the most commonly observed web application crypto-mining provider. It delivers quick and easy JavaScript that can be injected into existing websites and advertisements, allowing the miner to profit from small amounts of CPU utilization over time.

While it is possible to notify website visitors that this is happening - there is an ‘ethical’ version of Coinhive used by charities and others to find new ways of generating donations or revenue - often attackers will run this application passively in the background.

This occurs by copying and modifying the Coinhive JavaScript code. This method of passively running crypto-mining applications is what is referred to as cryptojacking.

The prevalence of cryptojacking in Australia is hard to quantify, though worldwide it is on the rise.

One recent piece of research saw instances of cryptomining malware double in the space of a quarter. AdGuard also found cryptojacking scripts on over 33,000 sites in a sweep of the internet in made in late 2017.

Australia ranks second in the Asia Pacific region and eighth in the world in terms of reports of users being targeted by cryptojacking attacks.

It isn’t just governments and corporates being impacted. A Brisbane-based computer tech noticed one of his client’s energy bills quadruple after setting up a new computer. After investigation, he found the machine had been cryptojacked.

Passively mining cryptocurrency in the background of normal computer functions is a far less significant risk than other possible attack scenarios that IT users might face.

However, it is becoming a more significant issue as passively mining cryptocurrency becomes more widespread and impacts energy costs or even destroys hardware.

There is also growing evidence that cryptojackers are becoming more sophisticated - or sneaky - in the way they approach a target.

Security researchers at Michigan State University claimed that the “most successful cryptojacking efforts are on streaming media sites, because they have lots of visitors who stay a long time”.

“Other sites extend a user’s apparent visit time by opening a tiny additional browser window and placing it in a hard-to-spot part of the screen, say, behind the taskbar,” the researchers said.

“So even after a user closes the original window, the site stays connected and continues to mine cryptocurrency.” Fortunately, detecting cryptojacking activity is really straightforward.

In fact, browser add-ons such as uBlock Origin, will block a majority of cryptominers by default. And if you’re on a website or are otherwise affected by a cryptominer, you’ll see your web browser processes spiking.

Tags LogRhythmcryptocurrencyCryptojacking

Show Comments