Recently on November 19, Trustwave which is a cyber-security firm reported that the website of world renowned non-profit organization the Make-A-Wish Foundation had been infected with cryptojacking malware.
Researchers from Trustwave presented the results that crypto jackers had managed to insert a JavaScript (JS) miner CoinImp into the domain worldwish.org so that they could illegally mine privacy focused cryptocurrency Monero (XMR).
The website was embedded with a script which was using the computing power of people visiting the site in order to mine cryptocurrency into the cybercriminals wallets. The investigations showed that the domain “drupalupdates.tk” which was used to host the crypto jacking script was part of a known campaign that had been exploiting Drupalgeddon 2 since May 2018.
Even though the campaign had been updated multiple times after the month of May, several owners of websites hadn’t updated their Drupal version on schedule. This provided the cybercriminals with loopholes that enabled them to compromise the websites to mine cryptocurrency. The most interesting aspect of this campaign was that it had used different techniques to avoid static detections. First the domain name was changed that hosted the JavaScript miner, which itself was obfuscated. The proxy named WebSocket also uses multiple domains and Internet Protocols which make blacklist solutions outdated. CoinHive has also been reported to have been used for utilizing the computing power of website visitors in order to mine cryptocurrency.
It was reported that Trustwave had contacted Make-A-Wish so that they could report the cryptojacking activity on the global foundation’s website, but it did not respond to the heads-up. According to the report presented by Trustwave the malicious code was however eventually taken down after Trustwave attempted to reach the foundation.
Cryptojacking is an emerging practice which has grown at a very fast pace. It is for all possible reasons illegal. Cybercriminals do this through multiple ways. They can either get the victim to click on a link, containing viruses, through an email that loads the crypto mining code on the computer, or by tampering a website or an online advertisement with a JavaScript code that auto-executes once loaded on a browser.
The crypto mining code then works in the background, through any of the above mentioned two ways, while unsuspecting victims use their computers normally. They can only notice slower performance or legs in the execution by their computer, other than that there are no visible indicators that a computer has been infected by a Cryptojacking virus.
While the extent to which cryptojacking is performed in the world isn’t sure, it is a sure fact that the practice is thriving. Adguard reported a thirty one percent growth rate for cryptojacking done through browsers, last November. The research found out that 33,000 websites were running crypto mining scripts. Almost one billion combined monthly visitors on those sites were estimated by Adguard.
According to Bad Packets Report from February, a total of 34,474 websites were running Coinhive which is the most popular JavaScript miner that is even used for legal crypto mining activities as well. In July Check Point Software Technologies presented its reports which highlighted the fact that four out of the top ten malware it had found were crypto miners, including the most famous ones: Coinhive and Cryptoloot.
During the year 2018, the number of cryptocurrency mining attacks have increased to a staggering five hundred percent, according to data collected by Bloomberg. Internet security provider and research lab McAfee Labs have recently revealed a new Monero-mining virus which is called Webcobra that is thought to have originated from Russia. Also in early November a global cyber security company Trend Micro, from Japan, discovered a new type of cryptojacking virus that was targeting computers running Linux.
Coin mining malware has proved as difficult to detect since once a machine is compromised by the virus it continues to run the malicious app in the background. This aspect raises the need for developing better defenses against cryptojacking.
