Cryptojacking, the hijacking of computing resources to mine cryptocurrency, turns out to be both relatively widespread and not particularly profitable, according to a paper published by code boffins from Braunschweig University of Technology in Germany.
In a paper distributed via ArXiv, researchers Marius Musch, Christian Wressnegger, Martin Johns, and Konrad Rieck analyzed the prevalence of cryptomining on websites and found that 1 out of every 500 of the top million Alexa-ranked sites hosts cryptojacking code.
Where cryptocurrencies like Bitcoin depend on CPU cycles for solving the computational puzzles that generate currency, cryptocurrencies like Monero, Bytecoin, and Electroneum rely on memory resources. Commodity hardware can't compete with GPUs and ASICs in the computation of Bitcoin hashes, but it can help churn out memory-bound calculations. That's made pretty much any internet user's hardware potentially useful for those looking to turn stolen processor time into something of value.
Cryptojacking code gets placed on websites, either as a result of a security flaw or deliberate action by the site owner. The two most common libraries are CoinHive and Advisorstat, the researchers say. When someone visits a site that implements these or similar libraries, the visitor's device will begin cryptographic number crunching and credit the work to someone else, the attacker or site owner, with the software's developers also taking a cut.
Fine in theory, sucks in practice
In theory, this can be remunerative. The researchers calculate that a cryptomining script on a popular website like Pornhub, with 81 million visitors a day last year, could earn US$50,208 per day, at an exchange rate of 1 XMR (Monero) per US$225. That's less than the $81,000 per day the site would earn from advertising, based on a CPM of US$1.
But on average, most cryptojackers don't earn much. "With a hash rate of 80 H/s and CoinHive’s payout ratio, a miner earns about US$5.80 per day per website on average, which supports our observation that web-based cryptojacking currently provides only limited profit," the paper explains.
The ten most profitable cryptomining sites identified generate between US$119 to US$340 per day.
Existing detection methods – static blacklists – fall short, the researchers contend, noting that their approach mixing static and dynamic analysis performs better. And they argue that browser makers should move toward mining-aware browsing by implement tab-based CPU quotas to detect unauthorized mining.
Pulitzer-winning website Politifact hacked to mine crypto-coins in browsersREAD MORE
"The only reliable indicator in the presence of an adversary that actively tries to avoid detection is the measurement of prolonged and excessive CPU usage," they say.
Underscoring the interest in cryptojacking among miscreants, security biz Talos on Thursday delved into the doings of an individual identified as "Rocke," whom the firm links to a number of recent malicious mining campaigns.
Rocke, says David Liebenberg, senior threat analyst at Talos in a blog post, operates from China's Jiangxi Province, based on details in various associated code repositories and email accounts. The firm anticipates that Rocke will continue to deploy browser-based miners, trojans, and the Cobalt Strike malware, while also exploring social engineering attacks.
"Despite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating," said Liebenberg. "Rocke's various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals." ®