Crypto-jacking - when your PC mines cryptocoins for others

I always feel uneasy when my computer performance becomes laggy. In most cases, Windows is performing maintenance work in the background, an update is being prepared or the antivirus software is running a scan. If the process takes longer and the fan spins up, I'll usually get a little suspicious and look into the task manager. And when I see the browser gobbling up all of my CPU resources, something's likely awry: maybe someone else is making money off my PC.

Malware, like any other software, is constantly evolving. Over the years, the focus slowly shifted from rendering computers unusable with viruses to data and identity theft. Ransomware attacks already made the headlines a couple of times. In the age of cryptocurrencies, ruthless but smart individuals came up with a new idea. They knew mining bitcoins requires complex calculations. But how do you mine them without having to operate expensive server farms yourself? Simple, you let other computers do the dirty work, ideally unnoticed!

Attacks usually happen over the Internet. You visit a site that uses JavaScript (e.g. for ads) and, suddenly, the CPU load rises considerably. Or you download and app to your cellphone that behaves as advertised (otherwise you'd quickly delete it) but performs extensive mining in the background. Alternatively, servers are attacked or the required code is snuck into traditional malware. Attackers take great care to stay hidden and not to noticeably harm PCs. As with parasites that don't kill their hosts, computers are supposed to continue running smoothly. And even though cryptocurrencies, like Bitcoin, have lost a lot of their value since the beginning of the year, crypto-jacking still pays. While ransomware is on the decline, crypto-jacking has become the new thing.

Interestingly, Bitcoin is not the only currency that is affected. While Bitcoin calculations have become so complex that you'd need a whole armada of computers, currencies like Monero are still minable with just a few PCs. They even offer a greater degree of anonymity than Bitcoin as transactions are neither individually traceable nor public. And with Coinhive, there's already a small script available that can be secretly embedded into websites or apps. The script has already been discovered on the sites of soccer player Christiano Ronaldo, CBS, Showtime (a streaming service) and, naturally, more than a dozen porn sites because, so far, using the script is perfectly legal! Authorities are currently debating whether this practice should require explicit user consent and whether corresponding scripts should be marked accordingly.

What is certainly illegal is hiding these scripts in apps or secretly hijacking devices. PCs aren't ideal targets since somewhat experienced users usually quickly discover the attack and leave the affected websites. Cellphones are a different story though as users rarely inspect running system processes and most devices don't feature noisy fans. Consequently, performance and battery issues are quickly attributed to other factors. Finally, IoT (Internet of Things) devices like security cameras, smart refrigerators or TVs make for perfect targets. With little to no inspection and reporting tools available to their users, attacks stay perfectly hidden. Maybe devices run slightly hotter or electricity bills are a littler higher but who'd honestly suspect hijacking as the culprit here? Individually, these devices don't have much processing power but grouped into large clusters, they get the job done. A single vulnerability in a security camera can mean thousands of lucrative victims with devices running 24/7.

By now, decent antivirus programs detect and block many crypto-jacking attacks. The developers of Opera also acted swiftly and added an additional layer of protection to their built-in adblocker. In general, once you disable JavaScript, you're mostly safe - although your surf experience may suffer significantly. But there are also other ways. Since most attacks currently occur during web browsing, browser extensions like NoCoin, MinerBlockm CryptoPrevent or Mineblock can mitigate the risk for all popular browsers. With "smart" devices however, you're at the mercy of their manufacturers when it comes to software updates. Whether for example your home surveillance system is protected against crypto-jacking is anybody's guess. Especially cheap products will likely never see security patches even though they make for nice targets.

It remains to be seen how companies (and the courts!) will respond. Many site owners have already suggested that these scripts be used to keep websites ad-free. In the future, that could mean while you're visiting a news site, your PC will be mining crypto-currencies in the background as monetary compensation. Technically, they'd have to come up with a solution that doesn't lock up PCs completely but that would certainly be doable. The bottom line is that you would be paying with a slightly higher electricity bill. A new and disconcerting thought isn't it?

What I would like to know: have you ever noticed your PC running at full steam for no apparent reason? Would you be willing to pay for online services in this way?