Symantec presents research on cryptojacking – ‘a modern cash cow’

Symantec presents research on cryptojacking – ‘a modern cash cow’

Cryptojacking shook up the cyber security landscape in 2017 and 2018. Symantec Security Response took an in-depth look at this cybercrime trend.

Symantec, a global leader in next-generation cybersecurity, has released research about cryptojacking one of the biggest trends of 2018.

Cryptojacking involves cybercriminals surreptitiously running coinminers on victims’ devices without their knowledge and using their Central Processing Unit (CPU) power to mine cryptocurrencies.

This has been such a big trend this year that Symantec has published a research paper on this topic, featuring insights and analysis about this cybersecurity threat.

Cryptojacking surged in the last quarter of 2017, with its growth in popularity coinciding with a surge in the value of cryptocurrencies, including Monero, which is what is mainly mined by CPU miners.

Key points in the research include:

  • The greatest surge in activity was in the area of browser-based coinminers
  • Cryptojacking activity peaked in December 2017, with more than eight million cryptojacking events blocked by Symantec. A slight fall in activity in 2018 was recorded but cryptojacking events blocked in July 2018 still totalled just under five million
  • Primary effects of cryptojacking include: device slowdown, overheating batteries, increased energy consumption, devices becoming unusable and reduction in productivity

Cryptojacking in the cloud could also cause additional costs for businesses that are billed based on CPU usage.

What is cryptojacking?

Computer programs called coinminers are used to mine cryptocurrencies. Cryptocurrencies are digital currencies created using computer programs and computing power. Bitcoin is the best-known cryptocurrency but it cannot be mined using personal computers – it requires specialist equipment to mine.

The cryptocurrency Symantec primarily see mined on personal computers is Monero.

  • File-based coin mining involves downloading and running an executable file on your computer
  • Browser-based coin mining takes place inside a web browser and is implemented using scripting languages. If a web page has a coin-mining script injected on it, the web page visitors’ computing power will be used to mine for cryptocurrency for as long as they keep the web page open.

Coin mining is not illegal and many people choose to run files or scripts on their computers to carry out coin mining to make money themselves. Some websites may also use coin mining as an alternative to advertising to generate revenue, which is fine provided customers are told that their CPU power will be used to mine cryptocurrency while they are visiting that website.

The problems arise when people aren’t aware their computers are being used to mine cryptocurrency, or if cybercriminals surreptitiously install coinminers on victims’ computers or Internet of Things (IoT) devices without their knowledge this is cryptojacking.

What’s the big deal?

The primary impact of cryptojacking is performance-related, though it can also increase costs for the individuals and businesses affected. Potential impacts for device owners include:

  • A slowdown in device performance
  • Overheating batteries
  • Devices becoming unusable
  • Reduction in productivity
  • Increased costs due to increased electricity usage and for businesses operating in the cloud that are billed based on CPU usage

Unlike threats like ransomware, which immediately disrupt victims’ access to their devices, cryptojacking could be quietly carried out on a victim’s device for a long time before they realise what is happening.

How big an issue is cryptojacking?

The surge in cryptojacking in the last quarter of 2017 was dramatic. It hit its peak in December 2017 when Symantec technologies blocked more than eight million cryptojacking events. Symantec has seen activity decrease somewhat since then but in July 2018 it still saw just less than five million cryptojacking events blocked and the growth in activity since September 2017 is stark.

Reasons cryptojacking activity increased include:

  • A surge in the value of cryptocurrencies in the final quarter of 2017
  • Lower barriers to entry for cybercriminals
  • Cryptojacking allows cybercriminals to operate without the activity being noticed by victims
  • Even fully-patched devices can be targeted via browser-based coinminers

The steep increase in the value of cryptocurrencies was another key reason cryptojacking activity surged.

The lower barrier to entry was primarily thanks to the Coinhive service, which was launched in September 2017, just before cryptojacking activity increased dramatically. Coinhive, which is a script that mines Monero, was marketed as an alternative to ads for websites seeking to generate revenue.

It recommends that its users are transparent with site visitors about its presence but this hasn’t stopped unscrupulous operators from using it to carry out cryptojacking with the hope that site visitors won’t notice. Since its launch there have been many reports of it being used for cryptojacking without site visitors’ knowledge.

Along with the arrival of Coinhive, the steep increase in the value of cryptocurrencies was another key reason cryptojacking activity surged. At its peak in December 2017 and January 2018, Monero reached values of close to US$500 per coin. It’s hard to know how much money cybercriminals are making from cryptojacking but the key to making money in this area is scale. A coinminer running on one computer won’t make much money but a coinminer running on thousands of computers could potentially mine a lot of cryptocurrency.

What’s the future for cryptojacking?

The future of cryptojacking is something Symantec considers in the whitepaper and which it also speculated about in ISTR 23.

Symantec said then that ‘the longevity of this activity very much depends on the future value of these cryptocurrencies’.

2018 has seen a drop in cryptojacking activity compared to the final quarter of 2017 but, despite some fluctuations in cryptocurrency values, activity in this area remains significant and it is still one of the primary threats on the cybersecurity landscape as we enter the final months of 2018.

While we may not see the mass adoption of cryptojacking that occurred at the end of 2017, while cybercriminals are still making money from cryptojacking it will remain a headache for consumers and businesses for some time to come.

Further reading on the future of cryptojacking, as well as case studies and more in-depth analysis of the cryptojacking landscape is available in Symantec’s whitepaper on the topic.

 

Browse our latest issue

Intelligent CISO

View Magazine Archive