CybersecurityCryptojacking spreads across the web

By Pranshu Bajpai and Richard Enbody

Right now, your computer might be using its memory and processor power – and your electricity – to generate money for someone else, without you ever knowing. It’s called “cryptojacking,” and it is an offshoot of the rising popularity of cryptocurrencies like bitcoin.

Instead of minting coins or printing paper money, creating new units of cryptocurrencies, which is called “mining,” involves performing complex mathematical calculations. These intentionally difficult calculations securely record transactions among people using the cryptocurrency and provide an objective record of the “order” in which transactions are conducted.

The user who successfully completes each calculation gets a reward in the form of a tiny amount of that cryptocurrency. That helps offset the main costs of mining, which involve buying advanced computer processors and paying for electricity to run them. It is not surprising that enterprising cryptocurrency enthusiasts have found a way to increase their profits, mining currency for themselves by using other people’s processing and electrical power.

Our security research group at Michigan State University is presently focused on researching ransomware and cryptojacking – the two biggest threats to user security in 2018. Our preliminary web crawl identified 212 websites involved in cryptojacking.

Types of cryptojacking
There are two forms of cryptojacking; one is like other malware attacks and involves tricking a user into downloading a mining application to their computer. It’s far easier, however, just to lure visitors to a webpage that includes a script their web browser software runs or to embed a mining script in a common website. Another variant of this latter approach is to inject cryptomining scripts into ad networks that legitimate websites then unknowingly serve to their visitors.