UK Edition
Cryptojacking: The hackers mining digital currencies from your computer
As demand for bitcoin reaches record heights, many people would jump at the chance to earn a little digital gold in their spare time and line their wallets with cryptocurrency.
But most amateur bitcoin enthusiasts don't expect their own PCs to be hijacked to harvest coins for cyber criminals.
In recent months, a new form of malware has emerged through malicious websites that harvest digital tokens using a the processing power on the victim's computer. It has affected potentially millions of users, with proceeds from the operation totalling millions of pounds a year.
A sudden trend in so-called "cryptojacking" has taken off in recent months, which sees hackers attack websites to gather free digital coins. Sites affected have including CBS Showtime, UFC live-streams and even official websites for the governments of Moldova and Bangladesh.
Cryptojacking exploits the process of "mining" cryptocurrencies. Bitcoin and other digital coins are traded on a network called a blockchain, which ensures all trades are encrypted. Mining is what keeps the network going: since the network is not run by any one individual, it requires users to contribute computer power to solve mathematical puzzles to run safely. Users who add enough power are rewarded in coins, essentially minting new currency.
To start exploiting other computers, hackers just have to add a few lines of code to websites. This code harvests computer power from ordinary people browsing the internet, mining currencies such as Monero, whose price has gone up from $10 at the start of the year to $200 - an even greater ascent than bitcoin.
The threat has gone viral since it emerged in September. Security researcher Troy Mursch, who runs the blog Bad Packets Report, found 30,000 websites with a mining software called "Coinhive" running in the background, slowing down computers and using huge amounts of electricity.
"The actual use of Coinhive is simple as putting as few lines of code on the website," Mursch says. Targets are not limited to computers, with mobiles and tablets vulnerable, while more sophisticated criminals have taken to hijacking smartphone apps to gather more digital gold.
Installing malware that harvests bitcoin is not new - it has long been spread by phishing emails or dodgy downloads, but cryptojacking doesn't even require a user to download a virus, instead running in their browser without their knowledge.
"The change this year is that it is done not by an executable [an installable program] but by a Javascript library," says Fraser Howard of security firm Sophos. "They can go onto any website and you, a user, run their code just by browsing that site."
By compromising thousands of websites hackers have exposed websites used by an estimated 500 million people to the mining software, according to adblocking company AdGuard, allowing the invaders can add to their computing power and harvest coins faster.
Infected websites have been popping up all over the internet. While many are file-sharing websites such as The Pirate Bay or explicit adult pages, online shops such as Everlast and car-makers Subaru have been affected.
Most sites appear to have been compromised by the mining code, which has been added maliciously by hackers. A few, such as The Pirate Bay, have considered using it as an alternative to online advertising, harnessing the computer processing power of visitors rather than exposing them and their data to advertising services.
Coinhive, the developer of the initial, open-source code, claims the service could be used to replace advertising on some websites. Revenue on many sites from advertising sales has plummeted amid global dominance from Google and Facebook.
Coinhive released its code in September, however several security experts believe Coinhive is unwittingly complicit in the spread of its code to thousands of websites, causing reliability issues for users and battery drain on laptops and smartphones.
In fact, Coinhive even profits from the malicious spread of the mining code, taking a 30 per cent cut. AdGuard estimated Coinhive had earned $43,000 in its first three weeks alone, or $745,000 per year. That would make total proceeds around $2.5m a year.
The threat is only expected to grow in an arms race between ad-blockers and illegal coin miners. "It's a cat and mouse game, it could significantly grow into 2018," says Rick Holland of UK cyber security firm Digital Shadows. Security researchers Malwarebytes estimate that cryptojacking will be the number one trend in malware for 2018.
By importing mining into browsers through Coinhive, it has just been made easy for hackers to potentially reach hundreds of thousands of targets. "Cyber criminals always want to reduce costs," says Holland, "the release of Coinhive has made it much easier."
Coinhive says it had a "strict policy for such cases and we will immediately terminate accounts that use our service on hacked sites".
With Coinhive's initial code, users are not required to "opt-in" to have their browser exploited for mining. The team says it has since launched a version of its code where users have to agree to allow Monero mining. But the threat is already the threat is evolving, with variants of Coinhive developed by cyber criminals appearing in Google Playstore apps or able to keep running even after a user closes the offending tab.
Coinhive maintains its service was set up as a legitimate tool, but even it has admitted cryptojacking has evolved into a malicious force, according to the Suddeutsche Zeitung newspaper. "We cannot deny the opinion of a user that 'we invented a whole new breed of malware'," Coinhive said. "We are not proud of it."