Hackers hog processing power to earn cryptocurrency
Form of ‘cryptojacking’ being used as legitimate revenue generator, too
VANCOUVER — Anyone casually surfing the internet at home can be deployed as an unwittingly productive member of a hacker’s workforce, a practice known as “cryptojacking” that is on the rise.
Internet sleuths have discovered malicious code on the websites of several major companies — including Canada’s Loblaw Companies Ltd. — left by cryptojackers looking to break into computers and commandeer their processing power for cryptocurrency mining.
Cryptocurrencies, such as Bitcoin, are digital “coins” created by groups of computers — known as miners — that work together to solve mathematical puzzles that verify transactions. The more puzzles they solve, the more currency they earn. The exercise is hugely taxing on a computer’s processing power and the electricity it requires is expensive.
By surreptitiously adding JavaScript code to a website, the central processing unit on a visitor’s computer is employed to join the effort to mine a digital currency.
“It basically just hogs your CPU,” said Konstantin Beznosov, a professor at the University of British Columbia’s electrical and computer engineering department. Computers that have been cryptojacked can become unresponsive or slow down significantly. The practice can also result in higher electricity bills.
Web surfers have spotted such code on major websites, including American politics fact-checking site Politifact and CBS Corp.’s Showtime and Showtime Anytime sites.
In Canada, a web page for Shoppers Drug Mart job listings appeared to be trying to use visitors’ computer power to mine for Monero via Coinhive — a website that provides other sites a cryptocurrency mining code embed in exchange for a share of the profits.
Screenshots taken in late September offer limited information, said Daniel Tobok, CEO of cybersecurity boutique firm Cytelligence Inc., but appear to show a third party trying to leverage the website to connect to a cryptocurrency miner.
Catherine Thomas, a spokesperson for Shoppers’ parent Loblaw, confirmed that code from a third party was present on the web page for a short time, but stressed that at no time was there a risk to anyone’s machine or personal information.
These types of breaches are extremely common, Tobok said.
In 2013, Kapersky Lab’s products detected such a threat about 205,000 times. In the first eight months of this year, the company’s security software found 1.65 million users were attacked.
A more invasive scenario is for hackers to install malicious code so that every time the person uses their computer to surf the web the hackers will attempt to mine for digital currency, Tobok said. “You become another spoke in the wheel.” The Office of the Privacy Commissioner of Canada is aware of the issue but has not examined it in depth, according to a spokesperson.
Targeted system owners may not always inform or request assistance from the Canadian Cyber Incident Response Centre, said spokesperson Jean-Philippe Levert.
“As this type of malicious activity is generally intended to go unnoticed, it often is not destructive and does not result in loss of confi-
dential information,” Levert said, adding CCIRC is ready to assist if needed.
Levert added CCIRC does not comment on whether reports have been received on specific incidents, like cryptojacking, to protect sensitive information submitted by those voluntarily reporting.
For web surfers looking to avoid being cryptojacked, several internet browser extensions can block attempts, including No Coin and Ad Block Plus.
But it’s not always hackers behind the code. In some cases, companies knowingly run a cryptocurrency miner.
File-sharing site The Pirate Bay, for example, tested Monerominer Coinhive as a potential advertisement replacement, but faced complaints from users for not informing them about the practice after it was discovered.
“We really want to get rid of all the ads. But we also need enough money to keep the site running,” the company wrote in a September blog post, asking users for feedback on whether they’d prefer ads or giving “away a few of your CPU cycles every time you visit the site.”
New charities are also asking people to consider the relatively passive way to donate.
The Clean Water Coin Initiative, a nonprofit organization that has partnered with Charity: Water, has raised more than US$2,000 by asking people to donate 0.1 per cent of their digital currency transactions.
Charity Mine asks users to keep its site open in a tab, so their unused CPU power can generate Monero for charity. While it’s raised less than US$13 to date, the site estimates four million users could create roughly US$7.1 million annually.