Crypto-jacking - when your PC mines cryptocoins for others
I always feel uneasy when my computer performance becomes laggy. In most cases, Windows is performing maintenance work in the background, an update is being prepared or the antivirus software is running a scan. If the process takes longer and the fan spins up, I'll usually get a little suspicious and look into the task manager. And when I see the browser gobbling up all of my CPU resources, something's likely awry: maybe someone else is making money off my PC.
Malware, like any other software, is constantly evolving. Over the years, the focus slowly shifted from rendering computers unusable with viruses to data and identity theft. Ransomware attacks already made the headlines a couple of times. In the age of cryptocurrencies, ruthless but smart individuals came up with a new idea. They knew mining bitcoins requires complex calculations. But how do you mine them without having to operate expensive server farms yourself? Simple, you let other computers do the dirty work, ideally unnoticed!
Interestingly, Bitcoin is not the only currency that is affected. While Bitcoin calculations have become so complex that you'd need a whole armada of computers, currencies like Monero are still minable with just a few PCs. They even offer a greater degree of anonymity than Bitcoin as transactions are neither individually traceable nor public. And with Coinhive, there's already a small script available that can be secretly embedded into websites or apps. The script has already been discovered on the sites of soccer player Christiano Ronaldo, CBS, Showtime (a streaming service) and, naturally, more than a dozen porn sites because, so far, using the script is perfectly legal! Authorities are currently debating whether this practice should require explicit user consent and whether corresponding scripts should be marked accordingly.
What is certainly illegal is hiding these scripts in apps or secretly hijacking devices. PCs aren't ideal targets since somewhat experienced users usually quickly discover the attack and leave the affected websites. Cellphones are a different story though as users rarely inspect running system processes and most devices don't feature noisy fans. Consequently, performance and battery issues are quickly attributed to other factors. Finally, IoT (Internet of Things) devices like security cameras, smart refrigerators or TVs make for perfect targets. With little to no inspection and reporting tools available to their users, attacks stay perfectly hidden. Maybe devices run slightly hotter or electricity bills are a littler higher but who'd honestly suspect hijacking as the culprit here? Individually, these devices don't have much processing power but grouped into large clusters, they get the job done. A single vulnerability in a security camera can mean thousands of lucrative victims with devices running 24/7.
Also a worthwhile target: cellphones
It remains to be seen how companies (and the courts!) will respond. Many site owners have already suggested that these scripts be used to keep websites ad-free. In the future, that could mean while you're visiting a news site, your PC will be mining crypto-currencies in the background as monetary compensation. Technically, they'd have to come up with a solution that doesn't lock up PCs completely but that would certainly be doable. The bottom line is that you would be paying with a slightly higher electricity bill. A new and disconcerting thought isn't it?
What I would like to know: have you ever noticed your PC running at full steam for no apparent reason? Would you be willing to pay for online services in this way?