In late September, news broke of Pirate Bay hijacking users’ CPU resources to mine cryptocurrencies, triggering a huge backlash from users. Now some might find it ironic that pirates are complaining about something being taken from them, but secretly mining for cryptocurrencies is a growing trend, and has been known to happen on legitimate sites. So how does mining for cryptocurrencies work? And what should you know about it?
How ‘secret’ cryptocurrency mining works
Cryptocurrencies like Bitcoin are “mined” (that is new “coins” are created) through resource intensive processes that, by design, become more and more expensive as more coins are mined.
Bitcoin has long-since passed the point where it is no longer feasible to mine new coins without a large initial investment in specialist hardware. This hardware tends to be very power-hungry, and may be approaching the point of economic infeasibility given the price of electricity these days, although the large increase in bitcoin value against the USD in the last year may have changed this.
An alternative to this approach is CryotoNight and scrypt-based cryptocurrencies. These were deliberately designed to be very expensive to attack at scale because of heavy memory requirements that cannot simply be overcome by building very fast processors highly optimised for cryptocoin mining.
This means that cryptocurrencies based on these mining algorithms can still be feasibly mined using CPUs found in a typical desktop computer, at least if you do not have to pay for its electrical power. Therefore, even though an in-browser implementation of these algorithms only makes a small mining contribution, it might still be worth the effort.
In the case of Pirate Bay, the CoinHive JavaScript they deployed was pooling CPU resources from many of its website visitors in order to provide a small return in the Monero cryptocurrency.
Where is it happening?
Secret cryptocurrency mining has been deployed in various malware schemes for some time now, on desktop machines, via webpages and on compromised servers. ESET recently published research on web advertisers using a similar scheme, but in a truly illegitimate manner known as ‘Malvertising’, where the website’s displaying the ads did not benefit from the currency mining, just those placing the ads.
In that case, the ads were surreptitiously included in the advertising stream, and they targeted sites whose pages might be expected to show higher-than-usual CPU usage anyway – such as movie and online gaming sites – presumably to make their presence less obvious.
Not long after ESET published the ‘Malvertising’ research, news also broke of the Chrome extension SafeBrowse being updated to include a cryptocurrency miner, resulting in a massive user backlash and Google ousting the extension from the Chrome Web Store. SafeBrowse’s author reportedly claims to know nothing about this “update”, which suggests that they, or perhaps the Chrome Web Store upload system, have been hacked.
And just last week, ESET reported on yet another malicious cryptocurrency mining operation. Known as Win32/CoinMiner.AMW, this malware was utilising the typically higher CPU power of web servers, and had spread to many servers via a software vulnerability. The cybercriminals behind this campaign have illicitly mined over US$63,000 worth of Monero since May this year.
‘Well I might be a pirate, but that doesn’t sound fair, aren’t there rules around this?’
Unfortunately, there is no specific legislation I am familiar with outlawing such behaviour. However, as the operators of Pirate Bay quickly learned, legal or not, its website visitors were pretty unhappy about not being warned or given the choice to opt-out.
The strong negative reaction of Pirate Bay’s users was probably heightened due to what was reputedly an error on the Pirate Bay administrator’s part. The administrator made matters worse by not properly setting the CPU usage settings in their implementation of the CoinHive script, causing a more noticeable impact on their users than they claimed they had intended.
It turns out that even those who steal, don’t like to be stolen from, and it’s unlikely that the reaction of Pirate Bay’s users would be much different from that of web users in general. So whilst there is no specific legislation in place to stop this type of activity, websites (legal or illegal) that wish to keep their users happy, would be unwise to secretly mine cryptocurrencies.
So if you can’t stop it, what kind of threats does it pose?
Luckily, there are no serious security consequences of this kind of browser-based cryptocurrency mining, but as some Pirate Bay users experienced, if the configuration of these scripts is not carefully selected, web visitors’ machines may become all but unresponsive due to the mining script’s operation. This could be considered a form of denial of service attack against your own website visitors.
Password cracking by brute force by guessing against stolen password files is a similar kind of computing problem to mining cryptocurrencies. We have seen malware install distributed password crackers before, “stealing” computing resources from its victims. Presumably something similar could also be fitted into a scheme much like this CoinHive distributed cryptocurrency mining.
Whilst the security threats are, at this stage, minimal, the growing trend of sites secretly mining for cryptocurrencies should be enough to warrant vigilance and prompt users to monitor for any suspiciously high CPU activity.
Nick FitzGerald is senior research fellow at ESET