Cryptocurrency mining has become a permanent fixture in the modern world managing to silence all those who thought that it was going to be nothing more than a short-lived fad. This, however, means that it has also drawn the attention of the more unsavory parts of society resulting in the emergence and subsequent spread of what the cybersecurity community calls cryptojacking. In broad terms, this is the use of the hardware resources of an infected machine for the generation (mining) of a specific cryptocurrency without the knowledge of the device's owner.
Cryptojacking can be split into two specific categories - browser-based cryptojacking and malware cryptomining, which have some distinct differences. As its name implies malware cryptomining is done through malware that infiltrates the victim's machine and then uses the central processing unit's (CPU) power for mining. Browser-based cryptojacking, on the other hand, sees the cybercriminals compromise a website or a web server that is then injected with a cryptomining script. This tactic can be used to compromise even legitimate websites. It is also possible that instead of a website, the script can be inserted into an online ad.
According to the "IBM X-Force Threat Intelligence Index" for 2018, cryptojacking was getting increased traction among threat actors due to some of its inherent characteristics. Unlike ransomware or banking Trojans, cryptojacking offers an easier way of monetizing access to the compromised machine as it reduces the number of involved parties. Even the most sophisticated ransomware threat still relies on the willingness of the affected users to make the required payment in exchange for the potential decryption of their files. In the case of cryptojacking, however, the criminals don't have to interact with and are not reliant on an action from the victims while the simplicity of the attack allows even not so tech-savvy individuals to execute it with relative success.
Browser-based Cryptomining's Explodes on the Scene
Cybersecurity specialists recognize two distinct types of malicious cryptocurrency mining - browser-based cryptojacking and malware cryptomining. IBM's report clearly shows that in 2018 browser-based cryptojacking was undisputedly the more widespread form of attack with nearly twice the detected instances when compared to malware mining.
Source: IBM X-Force
There are several factors that can explain this initial surge of browser cryptojacking. It is easier to execute because it doesn't involve the use of malware or the need for maintaining a botnet. Furthermore, by infecting just one web server to deploy a mining script, the cybercriminals can potentially reach all visitors to the sites hosted on the server. Organizations also find this type of cryptojacking to be more difficult to defend against as it takes place outside of their control on unaffiliated servers.
Malware Cryptomining Is on the Rise
IBM's data for 2019 shows that with the start of the year the preferences of the cybercriminals appear to have undergone a sizable shift resulting in a return to malware cryptojacking.
Source: IBM X-Force
While it may be hard to pinpoint the exact reason for the reversal of the trend, it can be speculated with a significant degree of confidence that the broader crypcurrency climate has influenced the behavior of the threat actors. For example, a sharp decline in the value of several prominent cryptocurrencies makes in-browser cryptojacking far less profitable and more time-consuming when compared to the use of malware to infect devices and take direct control over their hardware resources.
Another factor contributing to the decline of browser-based cryptojacking could be the closure of Coinhive, a service that allowed websites to use their visitor’s computers to mine cryptocurrency coins. Coinhive was far from the only provider of such services, but threat actors with less technical skills may find it difficult to switch to another one for their cryptojacking attacks.
Defend Against Both Types of Cryptojacking
Both organizations and individual users have to be ready to take action and mitigate the effects of either type of cryptojacking. Having your hardware diverted to mining coins for someone else and not working on its intended tasks can result in significant losses over time. Staying up-to-date with the trends in delivery methods and mining scripts employed in these attacks can help speed up the detection of any cryptomining attempts and the implementation of appropriate countermeasures.