This article originally appeared in Advisen FPN on October 23, 2018.
From the hacker’s perspective, it’s the perfect crime. Cyber criminals use your organization’s computing power to mine cryptocurrency, without you even realizing you’ve been compromised.
Maybe you notice that your organization's computers are running slower and more sluggishly than usual. Perhaps you receive an unusually high bill from one of your web services providers. There’s no data loss, no business interruption, none of the “traditional” cybersecurity dangers. And yet you’ve been hacked all the same – and if you don’t have a cyber insurance policy that covers this type of loss, the implications can be costly.
How does it work?
Cryptocurrency is an encrypted data string that denotes a unit of digital currency. It is monitored and organized by a blockchain, which also serves as a secure ledger of transactions. Bitcoin is the most well-known example, but there are over 1,700 cryptocurrencies today.
Cryptocurrencies are maintained and confirmed by a process called mining, where a network of computers processes and validates the transactions. Cryptojacking occurs when a cyber criminal steals another organization’s computing resources to mine cryptocurrency for their own benefit. The fact that cryptocurrencies are entirely digital makes it very easy for cybercriminals to launch cryptojacking attacks on vulnerable organizations.
Many of the specific techniques cryptojackers use to mine cryptocurrency are familiar; they phish, engage in password collection, and disseminate malware that victims download and install. Others are new, for example when hackers lure targets to websites that use their computers to cache cryptocurrencies. Some websites even explicitly inform visitors that they use their available computer memory to mine cryptocurrencies instead of running digital advertisements. Regardless of the method, hackers are looking to use your computational power in order to mine cryptocurrency for their personal financial gain.
And that’s what’s novel: the business model itself. Cybercriminals have traditionally stolen data of some sort that can then be sold in the criminal marketplace. As the value of stolen data has gone down over time, criminals are looking for a new model to help them monetize. Enter cryptojacking.
From the criminal perspective, cryptojacking is an attractive crime because it’s so easy to execute and difficult to track. Anyone can do it; there’s not a lot of skill involved and you don’t need many of resources. Off-the-shelf cryptojacking kits can even be purchased for as little as $30. The ease of cryptojacking has made hackers quick to seize this opportunity.
This is a more nefarious form of hidden theft because no one is outright stealing your money or your data; instead they are running up your bill by stealing resources that you might not otherwise realize are being stolen. The delayed nature of the crime means you’re unlikely to realize that you have been cryptojacked until well after the fact. You may discover that you’ve been victimized only when you receive a surprisingly high web services bill. At that point, you’re on the hook to pay it.
How can you protect yourself?
It’s important to note that the act of crytojacking itself does not involve data exfiltration. That could come as a byproduct, but this is an entirely new model of unauthorized access – hackers are just installing software and sabotaging your computational resources, not taking anything directly. Similar to telecom toll fraud, there’s no business interruption with cryptojacking, just a siphoning off of resources at a cost to the victim. Ironically, this means that not all insurance policies will cover the losses.
In addition to ensuring that your cyber insurance is there to protect you, it’s important (as always) to practice good cyber hygiene. Best practices include installing an ad-blocking or anti-cryptomining extension on web browsers and using an anti-virus tool that is capable of detecting known crypto miners.
Vigilance is also advisable. You should carefully monitor usage of infrastructure so that you notice issues sooner than later. Amazon, Azure, and other web service provides meter usage in close to real time, and many will allow you to set up an alert that will notify if you go over a certain threshold. Tools like Coalition’s Compromised Credential monitor will tell you if your credentials are leaked in a data breach, and they also monitor when domains are registered that look like yours, which can signal the start of phishing attack.
Want to learn more?
Education is always key, and it’s important to keep yourself informed. Here are some great resources on this topic that you may want to check out: