Page 37 - Payout Magazine Online Volume 10.02
P. 37
firm Check Point listed CoinHive’s software websites, some of them with millions of
as malware for 15 consecutive months. It is visitors per year.
estimated that 5% of all Monero mined was
mined through cryptojacking. How Cryptojacking is Evolving
Part of that is attributed to a fork in While cryptojacking has died a significant
Monero’s source code that reduced CoinHive’s death with the CoinHive shutdown, it is not
hash rate. Another fork slated for March 9 to completely gone. Out of the 500 websites
do more damage to CoinHive prompted the researchers surveyed manually, 68.8% of
company to shutter operations on March 8. those websites had removed all hidden
malicious scripts. 11.6% of websites still
CoinHive was not the only piece of feature calls to CoinHive, suggesting they
cryptojacking software, but it was the largest. have not updated since the service shutdown.
With the service now out of the picture, does Finally, 1.2% of those 500 websites still
that mean cryptojacking is dead? performed cryptojacking using different code.
Is Cryptojacking Dead? Since the fall of CoinHive, most malicious
crypto-mining scripts come from CryptoLoot.
With the death of CoinHive comes a Scripts from that service have impacted an
vacuum of cryptojacking waiting to be filled. estimated 7.2% of websites still affected by
There are twp types of cryptojacking attacks. cryptojacking. Cryptojacking appears to be in
The first is the CoinHive method – injecting decline on consumer and business computers,
mining code into websites, browsers, or but that doesn’t mean it is dead. Instead,
networks without the user’s permission. The hackers are focusing their crypto-mining
second targets users’ computers to exploit malware on enterprise and cloud computing
their computing power directly, rather than resources. Targeting cloud computing
through site visits. networks means hackers can deploy malware
across a considerable network.
Before the shutdown of CoinHive, a
detection system called CMTracker was Ransomware on the Rise
developed. It relies on behavior-based
profiles to monitor webpages for malicious In 2019, hackers compromised Jenkins
scripts. CMTracker estimates there were 868 open source automation servers with Monero
cryptojacked websites in the Alexa top 100K miners. They earned over $3 million in Monero
list before CoinHive shutdown. before the scam was discovered. The scam
doesn’t point to a resurgence of cryptojacking,
Now eight months after the death of though. Likely hackers and scammers are
CoinHive, researchers are hoping to find out attempting to extract the last pennies to be
whether cryptojacking is alive and well. They had from the practice.
used CMTracker and manual examination of
2,770 known cryptojacked websites before The new focus appears to be on
the CoinHive shutdown to see if it is still ransomware, which holds computers and files
happening. hostage until the victim pays. Ransomware
may solicit victims to pay hackers in their
Initial results (https://arxiv.org/ preferred cryptocurrency, like Monero.
pdf/2001.02975.pdf) suggest 99% of websites The hackers behind the GandGrab
ransomware service allegedly made over $2
that had been detected by CMTracker were billion in extortion payments. A report from
2019 (https://krebsonsecurity.com/2019/07/
no longer cryptojacking. 1% of those websites is-revil-the-new-gandcrab-ransomware/)
suggests those hackers are re-grouping
still continue crypto mining with other under a new ransomware program called
REvil. These ransomware takeovers encrypt
cryptojacking scripts. CMTracker is still able files on a computer, making them inaccessible
to the victims.
to identify new cryptojacking attempts, even
from code it has never seen before.
Researchers tracked eight unique mining
scripts from the 1% of websites still engaging
in cryptojacking their visitors. Researchers
detected 632 individual cryptojacking
PAYOUTMAGAZINE 37
