Cryptojacking: A Love Story (Part 2)

Part 2: Cameron’s Dad’s Car

If you find yourself with a bit more than you need, you can rent out your extra car on Turo.  You can rent out your vacation home on Airbnb.  But what about your extra computing resources?  Can you monetize those?  Potentially, sure.  This is one of the interesting things about cryptocurrency.

Put another way, if someone borrowed your car without permission, rented it out on Turo and kept the money, but managed to return it a little worse for the wear at the end of the day, would you still have a right to be upset?  

In our last episode, we learned about blockchain, public ledger accounting, and bitcoin.  When we talk about “mining” bitcoin or “farming” chia, we mean that computer resources such as processors and storage are rented to the blockchain until a “proof of work” occurs.  At that time, the blockchain pays the owner of the device in its own cryptocurrency, which he or she can then exchange for dollars or pounds or rupees or yuan.  As people have realized the scale of the opportunity, moderately sophisticated homemade mining rigs like the one you see below have sprung up in a lot of suburban basements.   

However, before you get too excited, it’s worth pointing out that some time ago, the costs ordinary consumers pay for infrastructure, cooling, and electricity began to exceed the rewards of cryptographic coin mining.  Over time the situation has not improved for hobbyists.  If you start mining cryptocurrencies today, in spite of your best efforts you will probably lose money.

If you really want to invest in cryptocurrencies, you could buy stock in a company like RIOT Blockchain, (RIOT) which boasts 16,146 mining computers housed in upstate New York where hydroelectric power is cheap and cooling costs are low, due to the frigid weather most of the year and the world’s most famous waterfall.  Other commercial mining operations exist in Iceland, Siberia, and Northern Canada.  At scale, in the right conditions, mining is still profitable.

Which leads us back to crime.  

In 2018, a website called Coinhive offered JavaScript mining software which was quickly installed on thousands of popular websites.  People even bought ads on legitimate websites and used banner ads to sideload Coinhive’s software into end users’ web browsers, which was used to mine a hard-to-trace cryptocurrency called Monero.  This is why a lot of IT people use ad blockers.

What that means is that you might have already unknowingly participated in cryptocurrency mining for someone else’s benefit.  At this moment, you might feel like Cameron’s dad in Ferris Bueller’s Day Off when some scuzzy valet is out taking your red Lenovo laptop for a joyride.

If your electricity bill went up by $12, would you think to check your computer for unwanted programs?  Essentially, Coinhive made it easy for people to surreptitiously run their software on other people’s computers, to steal their computer resources, as well as the underlying power and cooling, and crooks kept the resulting coins for themselves.  Coinhive was unceremoniously shut down, but when you teach criminals a new way to steal, it’s hard to make them stop.

Yes, there are other ways to execute cryptojacking campaigns.  In security nomenclature, we talk about software called PUPs.  They might sound cute, but PUP in this context stands for Potentially Unwanted Programs.  Maybe you downloaded a program to give you some free coupons, or updates on the weather.  Sometimes buried in the end user licensing agreement, sometimes without even telling you, that software will start to consume “spare” CPU cycles, memory, and disk space in the service of a cryptojacking operation.  As you might have guessed, this often happens alongside gray or black market software and activities, such as “free” Hollywood movies, pirated software, or adult content.

We imagine that the people who engage in this illegal activity might try to justify it by minimizing the impact on end users.  “What’s the harm?  So their computer slows down a little.  Maybe there is some fan noise” they might say.  The costs, however are real and can add up for employers.  Moreover, as many people have shifted to work from home, some risk has effectively transferred to consumers.  

In 2020, popular Russian MikroTik routers were found to be used involuntarily in large scale cryptojacking operations. There have been security bulletins about credible looking chrome extensions and badware cryptomining apps in major app stores, an exploited security flaw in Microsoft Exchange that put mail servers in the service of cryptojackers, a malicious Facebook Messenger campaign designed to deliver and execute cryptomining code, and like something out of a movie, one cybersecurity vendor found that a rogue employee had set up crypto mining servers under the floorboards of the bank where he worked.

Some signs that you might be a victim of cryptojacking include a noticeable slowdown in device performance, overheating, sudden unexplained shut downs, a reduction in speed and productivity, and an unusual increase in electricity costs.  To protect yourself, consider browser extensions that block ads and select an IT security provider that uses an AI based EDR solution that prevents cryptojacking processes from executing.  Unusual network traffic is another indicator of compromise that can merit investigation.

The truth is, this sort of attack is becoming less exotic.  And while it’s far from benign, even as cryptojacking degrades the health and life of computer hardware, and legitimate uses of technology can take an annoyingly sluggish backseat to resource theft - if you take in the entire security landscape, cryptojacking seems comparatively like a romantic novelty next to some of the other threats that exist.  We will certainly see the tide of cryptojacking rise and fall and rise again, but when asked about cryptojacking, Datapath’s head of security, CISSP Nate Miles asked a haunting question: “If you’re going to be evil, why not go all the way?”

In our next installment we will talk about cryptoransomware.