Is your computer being hijacked to mine Crypto-Currency?

16th April 2019

We’ve all sat on our computers surfing the web maybe we’re shopping, researching or going with the flow and we’ve come across those moments when things start to slow down or our computer starts to behave a little more erratically. There may be a very simple explanation, your computer may have been hijacked by crypto-currency miners who are using your power and CPU to mine coins for them. I’ve termed the more illicit uses of crypto-mining as Crypto-Jacking as their processes are based upon subverting the computing power of website visitors to power their mining efforts.

If you don’t mind, I’ll start by giving an introduction to coin mining for those that may not be aware of what happens in the background. Crypto-currencies are based upon Blockchains which require massive amounts of computer power to solve complex algorithms in order to make payments. A Blockchain is based upon a distributed computing model where participants collectively solve the algorithms on behalf of the chain. As a reward for solving these puzzles, they are rewarded with coins or a piece of cryptocurrency. Companies who actively seek to solve algorithms are known as coin miners. The more they solve, the more they earn.

The challenge for the miners is that the computer power required to solve the algorithms is large and expensive plus they’re in competition with other miners who are also trying to process the same information in exchange for coins. A way that they try and balance out the demand for computing power is to use what they see as redundant capacity on other people’s hardware which they access via the internet and through your browsers using software or code embedded in websites. Sometimes you will know that this is happening and other times it will be hidden from you. Typically, however, it is hidden from website visitors.

Not all crypto-mining is done for illicit purposes, it can have benefits for all parties. You may, for example, want to host a community or charity website and not use third-party advertising. The lack of advertising may cause a loss of income and so in exchange, they use crypto-mining as a form of income generation. Some sites will give you the option to opt-in or out choosing to participate freely. However, most sites don’t make you aware or at best, they include it in the small print of the terms and conditions. But, it’s important to not label all sites with the same brush so it’s of value to understand both sides of the coin.

As crypto-mining is resource intensive the more demanding Bitcoin is not normally by the miners and so most miners use an alternate currency. The most common alternative used as it is less demanding is Monero which was seen in the CBS Showtime(1) website incident.

Within the Showtime website, code was found which used a mining tool called Codehive. The Showtime website had some code which ran on user’s browsers and computers based upon JavaScript to take advantage of users CPU capacity. When the code was found, it was removed however CBS may themselves have been an unknowing participant as it is believed that the code was placed there by hackers and they were not benefiting from the code exploit themselves.

There are alternative mining solutions out the internet for ‘commercial’ use including, Minecrunch, Hashforcash, Coinblind, Cloudcoins . As Codehive is the most common variant you are likely to come across I will use them as an example throughout the rest of this article.

It can be seen in its work with the Monero Blockchain which shares similarities to other crypto-miners in that it uses embedded Javascript to execute code embedded in a website to mine for coins. To embed Coinhive into a website it’s a simple case of setting up a website to include the following code once an account has been set up.

<script src=”https://coinhive.com/lib/coinhive.min.js”></script>

<script>

var miner = new .User(‘SITE_KEY’, ‘Fred-Smith’);

miner.start();

</script>

It’s that simple, a bit shocking how easy it is. Those five lines of code generate income for the website or account owner by leveraging the computing power of visitors to a website. A simple explanation of what is happening in the background is that the code calls the servers over the internet and runs some code to start the mining. The visitor to the site gets nothing yet provides the power for the miners. Is it no surprise that crypto-jacking is a growing concern?

So, what’s in it for the Crypto-Jackers? For every algorithm they solve, known as a Hash, Codehive says they will pay the Jackers around 70% of the payment they receive. A hash pays very little on its own and thus thresholds are set before payments are made. This, in turn, means that for this to be of value to Crypto-Jackers, the site volume needs to be high enough to warrant the effort. A low traffic site is unlikely to be used by Crypto-Jackers although caution should still be taken.

Signs that you might be Crypto-Jacked include a spike in your CPU use which in turn may result in your cooling fan starting and other signs such as seeing a slower than expected response from a website or your computer. If you’re more technically minded a visit to Task Manager in windows or Activity Monitor on a Mac will show the CPU usage on your computer.

So, you think you’re using websites that are potentially crypto-jacked or you’re now a bit nervous about this risk is there anything you can do about it? Luckily yes, there are a few proactive steps that you can take and I’ve shown the three main ones below.

The first is through a browser add-on as Mining Blocker in Firefox. Mining Blocker attempts to detect within the code you download when you visit a website, illicit code that is used by the crypto-miners and then locks it. A good browser add-on is a nice, simple proactive way to mitigate some of the risks.

The second option is to see if the website has been compromised or is known to include crypto-mining code through a checklist. NotMining.org, for example, is a free online service that will indicate if it believes if a site is clean or tainted.

The third option takes a bit of research in advance and requires you to block or blacklist the website behind the website code (2). Using the example, we can block the following URL https://coin-hive.com/lib/coinhive.min.js and the code will not execute as it is not able to access it. If you look at the code example shown earlier you will see the URL example. To generate a blacklist of sites you can use a browser add-on if you want to keep it simple.

Crypto-hacking is absolutely something we should all be aware of as it takes our computing power away from us and is leveraged for the benefit of others. It’s not always for negative reasons and it’s very much a grey area. They’re not considered to be viruses or Trojans and they don’t steal personal information (today). It’s worth noting that your virus cleaner may not detect crypto-jacking code so a little awareness is required.

Next time your computer seems a little slow when you’re on the internet there may be a reason why and just smacking the monitor may not be th fix. Enjoy your internet browsing.

References

(1) CBS Mining — Theregister.co.uk. (2018). CBS’s Showtime caught mining crypto-coins in viewers’ web browsers. [online] Available at: https://www.theregister.co.uk/2017/09/25/showtime_hit_with_coinmining_script/ [Accessed 5 Feb. 2018].

(2) wikiHow. (2018). How to View Source Code. [online] Available at: https://www.wikihow.com/View-Source-Code [Accessed 5 Feb. 2018].