Cryptojacking: cyber-scourge or legitimate business model for the ad-block age?

Cryptojackers steal CPU time and bandwidth, but then again so do ads, says RiskIQ

Cryptojacking is one of the latest ways that hackers make a quick buck, but is it really that harmful?

Making money from cybercrime is an opportunistic business. Once the people are generally aware of phishing emails and other scams it's subject to the law of diminishing returns. That's why cybercriminals are always looking for hidden doorways and new models. The massive rise in the value of bitcoin and other cryptocurrencies over the past couple of years has provided just such an opportunity.

Rather than stealing data or logins and passwords, this type of attack co-opts CPU time and bandwidth in order to mine crypto currency is without having to purchase high-powered GP use and the electricity to power them. Crypto mining scripts such as coin hive have proliferated as scanners look to make some easy money.

Research by threat intelligence firm RiskIQ over the last year has found more than 50,000 websites that are infected with cryptojacking scripts such as Coinhive - including 11 in websites belonging to FT 30 companies - and counted an average of 495 new web hosts running cryptocurrency miners each week.

One route to infection seems to be via the open source CMS system Drupal: 326 Drupal injections were spotted on hosts that were also found to be running Coinhive.

"It's the soft underbelly, the forgotten assets that attackers are looking for," said Fabian Libeau, EMEA VP at RiskIQ. "We found a global bank with two or three [obscure] servers in the Netherlands that nobody really looked into, but they were mining in the background."

Compared with other types of cybercrime, cryptojacking may not seem to be such a serious issue. Its effects may not even be noticed. However, it is certainly a canary in the coal mine in demonstrating a site's vulnerability to other attacks.

"It's a privacy issue: who gave you permission to use my CPU cycles? But it's also the lack of visibility, it just highlights the fact that people don't know what they're running." said Libeau.

"There's whole bunch of stuff that people internally never see because it's not sitting on the site, it's called dynamically from third-party servers. The world looks like a different place when we take the attacker's point of view and look in from the outside."

In an age of ad-blockers cryptomining scripts might even represent an opportunity for some websites to change their monetisation model.

Libeau cited a recent survey in Germany where people were asked if they would prefer to see ads or loan their CPU cycles for cryptomining while they are on the site.

"The answers were about 50-50. If I don't like ads as a business model of the website maybe I should get the choice of supporting the website with a few CPU cycles for mining bitcoin. Maybe it's legit to ask the customer at beginning what they would prefer."