What is Cryptojacking?

Many cyberattacks are disruptive by design. They’re meant to announce their presence: through ransomware demands, data breaches, or rendering your sites inoperable. However, there is a more insidious threat operating in the shadows. This silent intruder doesn’t steal your data or lock your files. Instead, it steals your resources. Known as cryptojacking, this form of cybercrime hijacks the processing power of your devices to generate profit for attackers, often without you ever knowing.

So how do you identify this threat before it can do damage to your organization? And how can you prevent it?

What is cryptocurrency?

Before understanding cryptojacking, it is important to grasp the basics of cryptocurrency. Cryptocurrency is any digital or virtual token that uses cryptography for security. Unlike traditional currencies issued by governments (fiat currency), most cryptocurrencies are decentralized, meaning they are not controlled by any single entity like a bank or government.

This decentralization is maintained through a distributed ledger technology, most commonly a blockchain. A blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. Transactions are bundled into these blocks and added to the chain.

For many popular cryptocurrencies, such as Bitcoin and Monero, new coins are created and transactions are verified through a process called “mining.” Mining involves using powerful computers to solve complex mathematical problems. When a miner solves a problem, they get to add the next block to the blockchain and are rewarded with a certain amount of cryptocurrency.

This process is computationally intensive, requiring significant processing power (CPU and GPU cycles) and electricity. This immense resource requirement is the foundational element that makes cryptojacking both possible and profitable for attackers.

What is cryptojacking?

Cryptojacking is the unauthorized use of someone else’s computing resources to mine cryptocurrency. Attackers gain illicit access to a victim’s device — a personal computer, a mobile phone, a network server, or cloud infrastructure for example — and install software that runs in the background, siphoning the victim’s processing power to solve cryptographic puzzles.

The attacker’s goal is to profit from the mining rewards without having to pay any of the associated costs, such as expensive hardware and high electricity bills. The victim unknowingly foots the bill through degraded device performance, increased energy consumption, and accelerated wear and tear on their hardware.

The stealthy nature of cryptojacking is its defining characteristic; unlike ransomware, which announces its presence, cryptojacking scripts are designed to remain hidden for as long as possible.

How does cryptojacking work?

Cryptojacking attacks are typically executed in two ways: browser-based attacks and malware-based attacks. Each method has its own distinct characteristics.

Browser-Based Cryptojacking

This is one of the most common forms of cryptojacking. Attackers embed a small piece of JavaScript code into a webpage. When a user visits the compromised website, the script automatically executes in their browser. This script then begins to use the visitor’s CPU power to mine for cryptocurrency. The mining activity continues as long as the user has the browser tab open. Once the tab is closed, the script stops running.

Attackers can compromise websites by injecting the script into the site’s code, or they can deliver it through malicious advertisements (malvertising) displayed on legitimate sites. This method is popular because it requires no permanent installation on the victim’s device and can potentially infect a large number of users who visit a popular but compromised website.

Malware-Based Cryptojacking

This approach is more persistent and invasive. It involves tricking a victim into installing cryptomining malware directly onto their device. This is often accomplished through traditional social engineering tactics, such as phishing messages containing malicious links or attachments, or by bundling the malware with seemingly legitimate software downloads.

Once installed, the malware runs as a background process, using sophisticated techniques to hide its presence from the user and from basic security software. Unlike browser-based scripts, malware-based cryptojackers persist after a browser is closed or a computer is rebooted. They can be programmed to detect when the device is idle to maximize resource usage without alerting the user, and they can spread across a network to infect other connected devices.

How is cryptojacking related to cryptocurrency mining?

The relationship between cryptojacking and cryptocurrency mining is simple yet critical to understand: cryptojacking is cryptocurrency mining. The technical process is identical. Both involve executing a program that uses computational power to perform the hashing calculations required to validate transactions and earn cryptocurrency rewards.

The fundamental difference lies in a single, crucial element: consent.

• Legitimate Cryptomining: This is an activity performed with full knowledge and consent. Individuals or companies invest in specialized hardware (like ASICs or powerful GPUs) and willingly pay the high electricity costs with the goal of earning a profit from the mining rewards. It is a legitimate, albeit resource-intensive, business or hobby.
• Cryptojacking (Malicious Cryptomining): This is the same activity performed without consent. The attacker uses someone else’s hardware and electricity without their permission. It is a form of resource theft. The cryptojacker offloads all operational costs onto their victims while collecting all the rewards, making it a highly profitable and illegal enterprise.

Essentially, the action is the same, but the context and legality are polar opposites. One is a willing investment, while the other is theft.

Think of it like putting gas into your car. Buying fuel at a gas station is very different from siphoning gas out of a neighbor’s car. In both of these situations you are putting gas in your car, but in one case you paid for it, and in the other, you’re stealing it from someone who had already bought and started to use it.

What are common cryptojacking targets?

Cryptojackers aren’t picky; they will target any device with available processing power. However, some targets are more attractive than others due to their scale, resources, or vulnerabilities.

Websites

Websites, especially those with high traffic volumes, are prime targets for browser-based cryptojacking. By compromising a single popular website, attackers can harness the collective CPU power of thousands or even millions of visitors. News sites, streaming platforms, and online forums have historically been targeted. The attacker doesn’t need to infect each visitor individually; they only need to inject their malicious script into one central place.

End-user devices

Individual computers, laptops, and mobile devices are constant targets for both browser-based and malware-based attacks. While a single device may not offer immense processing power, the sheer number of personal devices in use makes them a valuable target for large-scale, distributed cryptojacking campaigns. The noticeable effects on an individual user include a sluggish system, overheating, and a rapidly draining battery on mobile devices.

Cloud infrastructure

Cloud environments have become the most lucrative and high-impact target for sophisticated cryptojacking operations. The appeal is obvious: cloud infrastructure offers access to immense, scalable computing power. Attackers who successfully breach a company’s cloud account can spin up hundreds or thousands of virtual machines dedicated to mining, generating massive profits in a short time. These attacks often exploit common cloud security weaknesses:

• Misconfigurations: Publicly exposed servers, weak credentials, or overly permissive access policies can provide an easy entry point.
• Vulnerabilities in Containerization: Compromised container images or vulnerabilities in orchestration platforms like Kubernetes can allow attackers to deploy cryptomining containers across an entire cluster.
• Lack of Visibility: The complex and distributed nature of cloud environments can make it difficult for security teams to detect anomalous resource consumption until they receive an unexpectedly massive bill from their cloud provider.

8 Best Practices for Mitigating Cryptomining Risks

Protecting against cryptojacking requires a multi-layered security strategy that addresses various attack vectors, from the individual browser to the enterprise cloud.

1. Use Reputable Security Software: Employ a comprehensive antivirus and anti-malware solution that includes real-time threat detection. Many modern security suites can specifically identify and block known cryptomining scripts and malware.
2. Install Browser Extensions: For browser-based threats, use reputable ad-blockers and anti-tracking extensions. Many of these tools maintain blacklists of known cryptojacking domains and can block the malicious JavaScript from ever running.
3. Maintain Regular Patch Management: Keep all software, including operating systems, web browsers, and applications, up to date. Malware-based cryptojacking often exploits known software vulnerabilities that can be patched with the latest security updates.
4. Monitor System Performance: A sudden and sustained spike in CPU usage when you are not running resource-intensive applications can be a key indicator of a cryptojacking infection. Regularly check your system’s task manager or activity monitor for unusual processes consuming high levels of processing power.
5. Educate and Train Staff: Many malware-based attacks begin with phishing. Educating users to recognize and avoid suspicious emails, links, and downloads is the first line of defense against malware installation.
6. Implement Advanced Endpoint and Cloud Detection (EDR/CDR): For organizations, Endpoint Detection and Response (EDR) and Cloud Detection and Response (CDR) solutions are essential. These tools go beyond traditional antivirus by using behavioral analysis and anomaly detection to identify suspicious activities, such as processes that exhibit mining-like behavior, even if the specific malware signature is unknown.
7. Strengthen Cloud Security Posture: Organizations must proactively secure their cloud environments. This includes using Cloud Security Posture Management (CSPM) tools to identify misconfigurations, enforcing the principle of least privilege for access controls, and regularly auditing cloud resource usage for unexplained spikes in consumption.
8. Deploy Network Monitoring: Monitor network traffic for connections to known cryptocurrency mining pools and command-and-control servers. Blocking these connections at the network firewall can prevent cryptojacking scripts from successfully transmitting their work and receiving new tasks.

Identify traffic anomalies with DNS Made Easy

The consequences of cryptojacking go way beyond a slow computer. Your organization can experience real financial loss, less productivity, and even hardware failure.

Mitigating this threat requires a proactive and layered approach to security, including DNS security measures. Cryptojacking might not be a DNS attack, but often attackers use DNS-based tactics like DNS hijacking to redirect users to sites hosting cryptojacking scripts. DNS Made Easy’s tools give your team a picture of your typical traffic patterns, so that if a subdomain is hijacked, you can quickly detect anomalies and mitigate the problem. Contact us today for your free trial.