In our last article, we discussed how cybercriminals are launching drive-by mining attacks to gain access to people’s crypto-wallets. In this article, we will continue the discussion, explain what ethical mining is and the reason why this area calls for much improvement.
It is quite interesting to note that cybercriminals are delivering miners that communicate via WebSockets, in contrast to drive-by mining attempts that are predominantly launched through HTTP or HTTPS connections. WebSockets are communication protocols that promote data exchange. Notably, it is more difficult to spot and restrict mining codes that come hidden within a secure WebSocket. Coinhive’s popularity inspired the launch of similar services namely, Coin-have and Crypto-loot. Coinhive charges a 30 percent commission on cryptomining earnings while Coin-have charges 20 percent, which is believed to be the lowest in the industry. Crypto-loot claims to follow a bigger pay-out structure, promising to distribute 88 percent of the commissions. These new platforms come integrated with the ability to evade ad blockers, which cybercriminals identify as prime constraints.
In January of this year, millions of Android users were directed to web pages that were mining Monero currency with the pretext of recovering server charges. Victims were asked to solve a CAPTCHA to verify themselves as real humans and did not have even a slight clue about the mining operations. The victims’ tablets and phones continued mining Monero, utilizing the full capacity of the devices’ processors till they entered the “w3FaS05R” code and clicked the “Continue” option. Although mobile devices are not as powerful as desktops, this security incident clearly indicated that mobile devices are equally vulnerable to mining attacks.
Cybercriminals over the years have been using third-party scripts to compel people into getting involved in malicious activities without being aware of it. This was typically observed in the case of Texthelp, when cybercriminals injected a Coinhive script into one of Texthelp’s plugins. This made several U.K.-based government websites take part in malicious cryptomining activities unknowingly.
For quite some time, we have been discussing malicious cryptomining. By now, you may be hoping to get some information about what an appropriate cryptomining process should be and whether it is really feasible to practice it decently in a predominantly-malicious environment. This is what we would refer to as ethical cryptomining. People engaged in this use their own systems to decipher complex mathematical problems to validate or process cryptocurrency transactions.
Interestingly, as cryptocurrency continues to become more popular and its value witnesses a sharp rise, the complexity of the math problems further rises, demanding more CPU/GPU to be harnessed and prompting miners to opt for more high-end graphics cards. This led retail stores to prioritize people who bought graphics-cards for gaming purposes over people who made bulk purchases.
Efforts are underway to regulate browser-based mining. Part of this initiative includes the launch of Coinhive’s new API called AuthedMine, which demands user input to validate mining activities. The purpose behind the launch of this API was to allow visitors to knowingly engage themselves in cryptomining activities. This was how Coinhive sought to shield itself against antivirus solutions and ad blockers. Unfortunately, many cryptomining platforms that offer the opt-in feature may still end up impacting machines by running an uncontrolled miner. Importantly, users cannot easily opt out once they choose to opt in. This clearly indicates that the area of ethical mining needs further refinement.