Stay in touch

Enter your email and get the latest news and researches on cybersecurity, receive invitations to private security events and conferences.

Cryptojacking: The new gold rush?

Tuesday, December 5, 2017 By

The crypto-gold rush continues to surge, with many established currencies hitting all-time highs in the last week, with Bitcoin crossing the $11,800 threshold, and Ethereum $522, in what has become one of the most publicised markets around, if not the most stable.


Perhaps unsurprisingly, given the volume of excitement - and money to be made - the criminal element has stepped up operations, in particular targeting web users with drive-by style attacks. In on recently-reported version, attackers are deploying a Javascript browser miner - potentially based around the now infamous Coinhive Monero miner - that ingeniously pops under the taskbar, allowing mining to continue even when the user thinks they have closed their browser.

Cryptojacking: The new gold rush?

Researchers from MalwareBytes found that the nefarious pop-up has “some functions that come straight from the Coinhive documentation, such as .hasWASMSupport” but they also noted the stealthy aspect of the scheme: “the mining is being throttled to have a moderate impact on users’ machines so that it stays under the radar.”

Another researcher took on the challenge of quantifying the volume of compromised sites, eventually uncovering CoinHive code on 2496 e-commerce sites. Interestingly, as CoinHive requires a unique account ID to credit hashes to, further analysis of the infected stores revealed that 85 per cent are linked to just two CoinHive accounts, while the remaining 15 per cent are spread widely across multiple unique CoinHive accounts. Because the tag added to this remaining 15 per cent segment is consistent, the researcher concluded that the cryptojacking surge is down to just three groups or individuals.

“Some sites bluntly include the official coinhive.js file, others are more stealthy and include an iframe that points to siteverification.online. This site shows a default Debian installation page but include a cryptominer nevertheless. Some others disguise as Sucuri Firewall…” he said in a blogpost. Recent data from Kaspersky Lab found that in the first nine months of 2017, cryptocurrency malware had infected more than 1.65 million endpoints, a rise of 608 per cent since 2013.

The cryptojacking trend has already had a significant impact on the app world, especially Android apps on Google Play, which are tempting targets for attackers due to their availability and massive user base. A number of apps compromised with versions of CoinHive were reported recently, while research from High-Tech Bridge found that more than 90 per cent of apps tested may be vulnerable.

Ilia Kolochenko, CEO, High-Tech Bridge said that blockchain technologies - including cryptocurrencies - often gave users a false sense of security. “The blockchain technology used for cryptocurrencies (and many other purposes) can be considered quite mature and reliable if properly implemented. Particular cryptocurrencies may have complicated logic errors in their implementation and design, allowing unwarranted manipulations with the currency. However, such flaws are very rare, hard to detect and exploit.

However, when speaking about all the technologies above – like exchange platforms – they are just common IT systems and inherit the entire spectrum of cybersecurity risks and perils. If anyone has access to your digital wallet and s/he is hacked, no blockchain will help. Moreover, it will likely exacerbate the problem as the illicit transaction will be virtually uncancellable. We cannot use blockchain in isolation from all other technologies, and therefore we shall carefully assess and mitigate tangential and contiguous risks.

Researchers from High-Tech Bridge recently tested the most popular crypto currency mobile applications from Google Play from the ‘Finance’ category with a vulnerability scanner, Mobile X-Ray, a free online service with SAST, DAST and IAST capabilities for native and hybrid Android and iOS applications.

The results were shocking, with apps that have seen more than half a million downloads still seeing a 94 per cent majority with at least three medium-risk vulnerabilities...


Mark Mayne Mark Mayne has covered the security industry for more than 10 years, editing news for SC Magazine and editing SecurityVibes UK. Mark has a background in national news journalism and tech reporting, and has run b2b and b2c editorial sites.

User Comments
Add Comment