Hijacking Computers for Cryptocurrency Mining

Interesting paper “A first look at browser-based cryptojacking“:

Abstract: In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar code-bases. In this model, a user visiting a website will download a JavaScript code that executes client-side in her browser, mines a cryptocurrency, typically without her consent or knowledge, and pays out the seigniorage to the website. Websites may consciously employ this as an alternative or to supplement advertisement revenue, may offer premium content in exchange for mining, or may be unwittingly serving the code as a result of a breach (in which case the seigniorage is collected by the attacker). The cryptocurrency Monero is preferred seemingly for its unfriendliness to large-scale ASIC mining that would drive browser-based efforts out of the market, as well as for its purported privacy features. In this paper, we survey this landscape, conduct some measurements to establish its prevalence and profitability, outline an ethical framework for considering whether it should be classified as an attack or business opportunity, and make suggestions for the detection, mitigation and/or prevention of browser-based mining for non-consenting users.

Tags: ,

Posted on March 21, 2018 at 6:27 AM33 Comments

Comments

Grauhut March 21, 2018 8:08 AM

I wouldn’t call this hijacking, since these scripts only run if someone allowed js running in an opened browser window. The owner of that system and browser allowed execution of js software from unknown sources on loading a page on it.

May sound hard, but thats the way it is.

If this is hijacking, placing tracking bugs mining user behaviour without consent on a web page is also hijacking.

LeftyAce March 21, 2018 8:45 AM

Grauhut, it’s still hijacking, the same way taking over an aircraft is hijacking regardless of whether or not the cockpit was locked.

Sven March 21, 2018 8:47 AM

I would love to see this adopted by all websites that currently make money from tracking, advertising, and surveillance. I’d much rather pay for web content with electricity and cpu time than with my personal information. And the amount you contribute is proportional to the amount of time you spend on the site.

Does anyone know if this is at all economically feasible vs advertising?

cowbert March 21, 2018 8:52 AM

I frequently consult for fortune 500 companies on big data and I have not yet seen a sane browser-originated malware policy yet. All of these enterprise desktop provisioning processes repackage their browsers, with many of them even including Chrome, but they never either whitelist or ship the browser with an ad blocker.

At the same time, these companies have all bought and implemented traffic sniffing firewalls at their perimeter, usually either a Barracuda or Zscaler product and yet, either these products do not implement adserver blocklists or these companies have neither bought these modules (if I were either of these cybersecurity manufacturers, I could make a killing doing this), nor enabled this functionality.

Of course, this doesn’t stop the same enterprise from buying and using ProofPoint URL rewriting software for email phishing mitigation nor piling on “endpoint protection” software on the (usually Windows) OS that ends up consuming the same amount of CPU for “realtime process inspection” that a browser miner would have consumed and is unable to mitigate the browser miner anyway.

Grauhut March 21, 2018 9:11 AM

@LeftyAce “Grauhut, it’s still hijacking, the same way taking over an aircraft is hijacking regardless of whether or not the cockpit was locked.”

Are you really using a single threaded single user os for web browsing? 🙂

If you want to compare this to aircraft, js cryptominig is more like putting another cargo container on board of a cargo plane that still flies to its planned destination.

HiTechHiTouch March 21, 2018 9:36 AM

Slate magazine is openly doing this.

Went to read an article the other day and they put up a big screen saying “if you want to read, then allow us to use you computer to mine while you do so”.

Stuart Lynne March 21, 2018 10:59 AM

How long until the RansomWare attacks convert to simply using cyrptocurrency mining as an alternative to paying the ransom.

Once the system is hijacked, it will put up the number of coins needed to ransom the system, with that being decremented by local mining efforts. If the system gets to zero by mining or by being paid off it unlocks.

That would eliminate the need for some people to figure out how to buy and submit coins. That would increase the revenue stream for the ransomware attackers.

(required) March 21, 2018 12:08 PM

“If you want to compare this to aircraft, js cryptominig is more like putting another cargo container on board of a cargo plane that still flies to its planned destination.”

Without permission or even an expectation, without knowing WHAT that cargo ACTUALLY is.
And there’s really no reason to expect only a single low-churn instance of it either.

If you’re allowing them to put one box on board without actual consent why not 100?
Why not allow them to install a permanent backdoor since you don’t seem to mind?

justinacolmena March 21, 2018 12:51 PM

… a user visiting a website will download a JavaScript code that executes client-side in her browser, mines a cryptocurrency, typically without her consent or knowledge, and pays out the seigniorage to the website.

Not much you can do about that, as long as advertisers and “content providers” insist on the right to run said arbitrary JavaScript code in the user’s browser. The attitude persists, on the part of such media and advertising companies, that they are providing a “service” by displaying some content or information for the user’s view, and somehow the “consumer” is obligate to pay for that service somehow.

At the same time, Big Media and Big Marketing do not wish to hide their aforementioned “content” behind an explicit “pay wall” — because then the “sale” would then fall through if the consumer knew what she was being forced to pay for her access to the “content” being served to her.

As a consequence, “consumers” require several defenses to browse the web safely these days.

  • Use a good ad blocker.
  • Disable JavaScript on untrusted websites.
  • Block third-party cookies.
  • Refuse persistent HTML5 and Flash local storage.
  • Treat all cookies as session cookies.

Do you people ever read the news on the Web? Do you even remember the good old days of news in print when it was considered rude if someone looked over your shoulder when you were reading the newspaper? In those days you had a choice: read the free weekly, or put a quarter or two in the machine for the Seattle Post or the New York Times or whatnot. It was on the honor system, and no one looked over your shoulder when you read YOUR paper, either. And if you even so much as checked your oil at the local service station, you were offered a free cup of coffee, not charged $5.00+ for a “blonde” latte or something like that.

I’ve had it with “micro-transactions” and all the nickel-and-diming on the web. I already have to PAY by the gigabyte for all the ads that I “view,” whether or not I choose to buy their stuff. They need to back off already and give me my space.

(required) March 21, 2018 1:17 PM

@Wendy – Yep.

@Justina

Unfortunately like Facebook or anything else there are enough happy fools to validate these campaigns and ensure they propagate and become a new norm of re-undermining individual expectations of control.

Garret Frank March 21, 2018 2:05 PM

Stuart:

The ransomware model doesn’t apply to cryptocurrency malware. A ransomware scenario allows the user to decide whether their data is worth sitting and staring at an unusable device for the indefinite amount of time required to get to a particular coin count, while garden variety undetected cryptocurrency malware infestation just continues mining forever without significant risk of the user doing anything that will interrupt the revenue stream.

Who? March 21, 2018 2:25 PM

Open your favourite performance measurement tool, let us say top(1), in a BSD or Linux operating system, go to google.com and do nothing. Just listen to the tool. Look how CPU load increases up to 30%, temperature gets higher, fans run faster… What is Google running on our computers? Why?

They are hijacking our computers to run some mining software. Are we, perhaps, doing the work that should be done on their datacenters?

randomuunrelatedvictimstance March 21, 2018 2:31 PM

“Only females dare to not default to a female hypothetical user.”

Yeah, play the gender victim… that’s related. Or you could just get over it (like a male might do)

Thunderbird March 21, 2018 2:50 PM

The problem with content (by which I mean actual information or entertainment) is that it costs money to produce, which means it has to generate some kind of payment. This client-side-mining thing is just a weird way of (poorly) implementing micropayments (or alternately, a way for criminals to cut themselves a slice of your CPU salami).

It should be easy to come up a mechanism to slow selected javascript reducing the client-side cost to near zero, so the browser folks will probably do that. That will be countered by disguising the mining code as “useful” code. Rinse, repeat.

Mochtroid-X March 21, 2018 3:12 PM

@Who?

I did what you said with and without blocking enabled yet Firefox is only peaking at 9% CPU and not even for a second.

justinacolmena March 21, 2018 5:03 PM

@SomeoneRandom: Her? I thought ‘user’ is gender neutral.
@MoreRandom: Absolutely focus on grammar. Do agree though, the compulsive need to placate is going too far these days. Only females dare to not default to a female hypothetical user.

Translation: Get out of our man cave! Back to the kitchen!

God, I need knives and guns and everything to fight back against these guys!

Because my computer is not your man cave.

Who? March 21, 2018 5:31 PM

@ Mochtroid-X

It happens on all my computers (OpenBSD, most of them, FreeBSD, Gentoo, CentOS and Ubuntu). CPU load increases from 20 up to 30 percent as soon as I open google.com and remains high until I close the tab with Google’s search engine main page. It happened for months.

Perhaps it depends on the browser, all these machines run Firefox (some are quantum releases, others are pre-quantum).

Who? March 21, 2018 5:41 PM

I pressed “Submit” too early.

…all these machines run different versions of Firefox, with a somewhat secure configuration (incognito mode by default, allowing cookies (expect for third parties) and clearing them when closing the browser, javascript disabled, disk cache disabled, tracking protection enabled…)

Grauhut March 21, 2018 7:19 PM

@Wendy: “IMO both your examples are hijacking.”

Kind of.

Attached a list of Hijackers the WaPo presstitutes try to sell my data to:

amazon-adsystem.com
2
c.amazon-adsystem.com
1
chartbeat.com
static.chartbeat.com
1
effectivemeasure.net
me-ssl.effectivemeasure.net
1
go-mpulse.net
c.go-mpulse.net
1
googletagservices.com
http://www.googletagservices.com
1
indexww.com
js-sec.indexww.com
1
krxd.net
cdn.krxd.net
1
newrelic.com
js-agent.newrelic.com
1
outbrain.com
amplifypixel.outbrain.com
1
scorecardresearch.com
sb.scorecardresearch.com
1

Grauhut March 21, 2018 7:29 PM

@(required): “If you’re allowing them to put one box on board without actual consent why not 100? Why not allow them to install a permanent backdoor since you don’t seem to mind?”

Do i really have to add /sarc tags? 😀

If i want to be sold 100 times i just open a typical presstitute page without a hardened browser environment.

But such things don’t happen in my regular workspace software world, its all blocked there. I just did my security homework.

(required) March 21, 2018 9:57 PM

Sarcasm implies people know you’re of sound mind generally. You need that requisite.

I don’t know you.

me March 22, 2018 9:03 AM

@Who
That’s known Firefox / Google bug that’s been around for a long time:

“Hidden CSS animated spinner causes high CPU load on Google search pages if not logged in”; bugzilla 1218169

Google sucks, because they could easily fix this and simply don’t care. Mozilla / Firefox sucks, because it’s using huge amounts of CPU doing nothing. Any kind of animation is extremely wasteful in CPU usage.

Mochtroid-X March 22, 2018 9:24 AM

@Who?

I have a similar setup but with the HTTPS Everywhere/Privacy Badger/Ublock Origin addons. I usually watch Firefox’s resource usage anyway, since Windows 98 and having to get that bugger to comfortably fit in 512mb. I can’t honestly be sure it’s a bug like @me says because Firefox has always been awful at these things.

Who? March 22, 2018 5:08 PM

@ Mochtroid-X, me

I did not know about this error. I’m glad to see that Google is not trying to use our computing power to help them undermine the privacy of the world.

We can see this one not as a bug but as a feature that helps us checking we are not logged into Google when doing a search. I have not a Google account right now but I had one years ago. My goal is not helping them make a profile about me to sell to anyone willing to pay for it.

Thanks! It is nice to know this CPU load is not a consequence of running some unwanted code on our computers.

RealFakeNews March 24, 2018 12:37 AM

@LeftyAce:

@Grauhut, it’s still hijacking, the same way taking over an aircraft is hijacking regardless of whether or not the cockpit was locked.

It doesn’t “take over” though – it just steals what would be idle CPU cycles. At worst, it increases your power consumption, so in that way it is stealing your CPU time and electricity.

Smith Poker May 23, 2019 7:51 AM

I have been seeing a lot of news about bitcoins and some say it take a lot of time to let your bitcoins grow. I am a new investor and needed to invest in cryptocurrency but i need good guides so as not to invest in the wrong coins. I told my co-worker about this and she told me she have a good contact and she introduce me to prof Sydney known as the prof of cryptocurrency. I contacted the prof and let him know my interest on crypto. He explained a lot to me and i get to know why they call him the prof of cryptocurrency. He gave proper guides and I proceed to open my wallet and start working with the prof. He made me know i dont need a lot of money to invest as he is ready to help mine the bitcoins in few days with a little investment. He provide me the packages and we get going. The prof help me mine 3.5987 btc for me in less than 5 days. he also proceed to give me some bonus and thats around 5 ETH. I am very happy and cant stop thanking my colleague for giving me a great contact because i cant still believe this. I was added to his elite telegram groups and i get to see a whole lot testimonies lol. There are millionaires in the group and i am yet to become one. I won’t stop working with the prof until i become a millionaire from this because they are a lot of potential coins to invest in and hes ready to mine them for us. I decide to share his info because a lot of people might need the same help so dont hesitate to get to him. All you need to do is to contact prof Sydney right away to join the mining team. i provided his contact below. (Profsydneycryptoconsultancy@gmail.com)

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.