Hackers ‘cryptojacking’ CPUs to make money
Major companies, their customers are among victims as malicious code is embedded in websites
VANCOUVER— Anyone casually surfing the internet at home can be deployed as an unwittingly productive member of a hacker’s workforce, a practice known as “cryptojacking” that is on the rise.
Internet sleuths have discovered malicious code on the websites of several major companies — including Canada’s Loblaw Cos. Ltd. — left by cryptojackers looking to break into computers and commandeer their processing power for cryptocurrency mining.
Cryptocurrencies, such as Bitcoin, are digital “coins” created by groups of computers — known as miners — that work together to solve mathematical puzzles that verify transactions. The more puzzles they solve, the more currency they earn.
The exercise is hugely taxing on a computer’s processing power and the electricity it requires is expensive.
By surreptitiously adding JavaScript code to a website, the central processing unit on a visitor’s computer is employed to join the effort to mine a digital currency.
“It basically just hogs your CPU,” said Konstantin Beznosov, a professor at the University of British Columbia’s electrical and computer engineering de- partment. Computers that have been cryptojacked can become unresponsive or slow down significantly. The practice can also result in higher electricity bills.
Web surfers have spotted such code on major websites, including U.S. politics fact-checking site Politifact and CBS Corp.’s Showtime and Showtime Anytime sites.
In Canada, a web page for Shoppers Drug Mart job listings appeared to be trying to use visitors’ computer power to mine for Monero via Coinhive — a website that provides other sites a cryptocurrency mining code embed in exchange for a share of the profits.
Computers that have been cryptojacked can become unresponsive or slow down significantly. The practice can result in higher electricity bills
Screenshots taken in late September offer limited information, said Daniel Tobok, CEO of cybersecurity boutique firm Cytelligence Inc., but appear to show a third party trying to leverage the website to connect to a cryptocurrency miner.
Catherine Thomas, a spokesperson for Shoppers’ parent, Loblaw, confirmed that code from a third party was present on the web page for a short time, but stressed that at no time was there a risk to anyone’s machine or personal information.
These types of breaches are extremely common, Tobok said.
In 2013, Kapersky Lab’s products detected such a threat about 205,000 times. In the first eight months of this year, the company’s security software found 1.65 million users were attacked.
A more invasive scenario is for hackers to install malicious code so that every time the person uses their computer to surf the web the hackers will attempt to mine for digital currency, Tobok said.
“You become another spoke in the wheel.”
The Office of the Privacy Commissioner of Canada is aware of the issue but has not examined it in depth, according to a spokesperson.
Targeted system owners may not always inform or request assistance from the Canadian Cyber Incident Response Centre, spokesperson Jean-Philippe Levert said.
“As this type of malicious activity is generally intended to go unnoticed, it often is not destructive and does not result in loss of confidential information,” Levert said, adding CCIRC is ready to assist if needed.
Levert added CCIRC does not comment on whether reports have been received on specific incidents, such as cryptojacking, to protect sensitive information submitted by those vol- untarily reporting.
For web surfers looking to avoid being cryptojacked, several internet browser extensions can block attempts, including No Coin and Ad Block Plus.
But it’s not always hackers behind the code. In some cases, companies knowingly run a cryptocurrency miner.
File-sharing site The Pirate Bay, for example, tested Monero-miner Coinhive as a potential advertisement replacement, but faced complaints for not informing users about the practice after it was discovered.
“We really want to get rid of all the ads. But we also need enough money to keep the site running,” the company wrote in a September blog post, asking users for feedback on whether they’d prefer ads or giving “away a few of your CPU cycles every time you visit the site.”
New charities are also asking people to consider the relatively passive way to donate.
The Clean Water Coin Initiative, a non-profit organization that has partnered with Charity: Water, has raised more than $2,000 (U.S.) by asking people to donate 0.1 per cent of their digital currency transactions.
Charity Mine asks users to keep its site open in a tab, so their unused CPU power can generate Monero for charity. While it’s raised less than $13 (U.S.) to date, the site estimates
“(Cryptojacking) often is not destructive and does not result in loss of confidential information.” JEAN-PHILIPPE LEVERT CANADIAN CYBER INCIDENT RESPONSE CENTRE
four million users could create roughly $7.1 million annually.
Cryptocurrency is a currency with no physical form or intrinsic value, but is an increasingly hot commodity as Bitcoin, its most well-known iteration, flirts with a record high.
Bitcoin, the self-proclaimed original decentralized digital currency, is hovering around $8,000 as investors pour into alternative currencies.
Many other types of cryptocurrencies exist, including Monero and Litecoin. These digital currencies are decentralized, meaning there is no third-party authority such as a bank that oversees activity, and transactions happen directly between two individuals. This offers some benefits, such as lower fees and global use.
Cryptocurrencies rely on blockchain technology. The blockchain is a public ledger of the currency’s transactions.
Generally speaking, there are two ways to obtain cryptocurrencies: A person can purchase units on an ex- change, or they can participate in cryptocurrency mining.
Miners secure cryptocurrency networks. They receive new issues of the currency for verifying transactions, which are then recorded on the blockchain.
Miners run software that can require special hardware, such as ASIC chips — designed for Bitcoin mining. Their computers solve complicated math problems in exchange for new issues of the currency. A mathematical proof of work, created by trying billions of calculations per second, is required to confirm a Bitcoin transaction. The more puzzles a miner solves, the more cryptocurrency they earn — incentivizing miners to participate and strengthening the overall system.
On Bitcoin’s network, the problems become more complex if they are being solved too quickly. As more miners joined the system and the problems grew more difficult, miners started to pool together.
Once purchased or mined, cryptocurrency lives in the individual’s digital wallet and can be used to purchase items online or at local stores that accept the currency.
The digital currency’s value is derived from demand. At the time of writing, one Bitcoin was worth roughly $9,800 (it is highly volatile), while Monero has yet to hit fourdigit worth.