Process is invisible, so people don't even know it's happening
Posted: Mar 12, 2018 11:06 AM ET
I read this yesterday afternoon, and last night had my first (to my knowledge...) background mining experience. I suddenly found that I wasn't able to do anything in Firefox (not even close a browser window), so, finding this strange, I opened Activity Monitor on my Mac and noticed that some process in FF was using up 80-90% of my CPU, even when nothing was (apparently) happening or being done there. I started closing pages I habitually leave open from previous sessions, and finally identified the culprit (when FF CPU load suddenly dropped to 10-20% after closing a window): a download page from a filehost I often end up at for music downloads. While their site may certainly have been hacked, it also wouldn't surprise me if the owner of the filehosting site has set it up himself to bring in extra $$$.
Scores of Canadians dipped their toes into cryptocurrency mining in recent weeks — they just didn't realize it.
A wave of so-called "cryptojacking" has been sweeping the internet, forcing unwitting web surfers into generating money for cybercriminals.
Hackers infect websites with malicious code that secretly conscripts visitors into an army of cryptocurrency miners. Cryptocurrency mining involves devoting a computer's processing power to solving a complicated mathematical problem with digital currency offered as a reward.
The cryptojacking process is invisible and web surfers typically don't even realize anything is happening in the background, unless they hear their computer's fan kick in as the machine is forced to work at its full capacity. Once they leave the infected website, the cryptojacking stops.
Computer security researcher Troy Mursch recently identified as many as 50,000 websites that had been compromised by the latest hacking trend and said cryptojacking is in its "gold rush" stage.
An incident last month also exposed just how large the problem is becoming. On a quiet Sunday morning with most IT workers at home with their families, the websites of the Information and Privacy Commissioner of Ontario, the Centre for Addiction and Mental Health, and the municipal websites of cities including Yellowknife and Oshawa, Ont., were among thousands that were hit with an attack linked to a third-party accessibility app called Browsealoud.
More recently, the infected sites Mursch identified included thousands using the WordPress platform, which is favoured by bloggers and small businesses looking for an easy way to set up a web presence. Canadian mom-and-pop stores, wedding photographers and personal trainers were among those who had their websites turned into profit generators for hackers.
From ransomware to cryptojacking
The scheme has proven so profitable that many hackers have been turning their attention away from trying to steal consumers' personal information or hijack computers with so-called ransomware attacks, says Vancouver-based Jerome Segura, a security researcher with software company Malwarebytes.
"It's not that it's not happening anymore, but it's a lot less than it was in the last couple of years when ransomware was the main focus and causing mayhem," Segura said, pointing to last year's WannaCry global cyberattack that hit hundreds of thousands of computers including critical machines in hospitals.
"As long as the price of cryptocurrencies stays high, this is going to be the kind of activity that we're going to see cybercriminals prefer."
While he hesitated to call the trend toward cryptojacking "good news" for internet users, Mursch said "it's definitely the lesser of the evils" compared to being victimized by a ransomware attack, in which hackers digitally lock a computer and demand to be paid before releasing it to the owner.
"Ransomware is basically like pointing a gun at you and saying, 'Hey, pay up or you're not getting your files back,' versus cryptojacking you might not even know about it, it's just going to silently steal your electricity," he said.
Segura said what's striking about this latest trend is that it affects virtually any kind of device that can access a website. In the past, many consumers thought they were safe from viruses and malware on their mobile phones or Apple computers.
"It's platform agnostic in the sense that it doesn't matter if you have a Windows computer, or a Mac, or even a mobile device, if you're visiting that website your device will start mining regardless," he said.
Potentially damaging
He added there is a possible risk of damage to an overworked device if it were to be left mining endlessly for an extended period of time.
"There have been cases — more proof-of-concepts, but still — where in a lab people tested running a cryptominer at 100 per cent and after a certain amount of hours the device overheats and actually pops, the back popped out," Segura said.
While the trend could very easily reverse itself if and when the cryptocurrency that is currently being targeted, Monero, drops in price, Segura said there's also a risk that hackers could adapt their tactics and try to target users' computers for mining and not just their web browsers.
'You definitely have to be proactive.'
- Troy Mursch, computer security researcher
On Wednesday, Microsoft reported its Windows Defender Antivirus software had recently blocked attempts by hackers to embed cryptomining malware on nearly 500,000 computers in a single day, mostly in Russia, Turkey and Ukraine.
Mursch said his advice to WordPress users is to be diligent about installing software updates, which can be a very easy fix to address security vulnerabilities that arise.
"It's kind of hard to believe, but you just have to update it to magically fix it," he said.
"But it's not going to email you, or start beeping, or alert you in any way, so you definitely have to be proactive." He noted that many of the infected WordPress sites he found appeared to be abandoned by their owners but continued to "just float out there in the ether" loaded with code that could infect web surfers.
Segura said he hopes the cryptojacking trend won't lead to internet users letting their guard down too much. "If you take it too lightly and think, 'Well, it's not really affecting my computer much,' what you don't realize is it's fuelling an economy that is benefiting criminals," Segura said. "This is dirty money that they're making."
