Crypto-jacking, also known as Browser-based cryptocurrency mining, has made a surprising comeback in 2020. According to Symantec’s Threat Landscape Trends report for Q2 2020, cryptojacking saw a 163% increase in detections, compared to previous quarters. The spike was unusual, as most security experts considered the method to be dead.
Browser-Based Crypto-Jacking Explained
The major spike in browser-based cryptocurrency mining or crypto-jacking took place between September 2017 and March 2019. During that time, it was actually one of the most common forms of cyber-attack. The uptick coincided with the launch and subsequent shutdown of Coinhive, a German-based Internet service that gave users the ability to mine Monero cryptocurrency inside their website by just adding a JavaScript library to their sites’ source code.
The service was innocently intended to be an alternative website monetization scheme to classic online ads, but the service became popular with cybercrime groups. Cybercriminals started hacking into websites and secretly loading Coinhive’s library on the sites with an alternate configuration designed to mine Monero for the criminal groups.
This ran until March 2019, when Coinhive operators suddenly announced they were shutting down. In addition to the end of Coinhive, academic teams who analyzed the scheme’s efficiency found that cryptojacking was incredibly inefficient at generating revenue, as just three classic online ads could generate as much as 5.5 times more revenue than a web-based crypto-jacking script.
Is a Router-hijacking Botnet to Blame for Cryptojacking’s reBirth?
A source in the antivirus industry has told website ZDNet that a router botnet likely caused the newest surge in cryptojacking detections. The source, who did not want to be identified by name, said that similar incidents have occurred previously in Latin America.
Hacking outfits can break into home routers and modify DNS settings to hijack legitimate web traffic, use hacked routers as proxies, or enable them to launch DDoS attacks. In rare instances, groups will also experiment with other ways of monetizing router botnets, including deploying cryptojacking scripts, which are usually modified versions of the old coinhive.js library, updated to work without the now-defunct Coinhive service.
Despite the new spikes in browser-based crypto-jacking detections, a full comeback is not expected. Most of the cybercrime groups who experimented with crypto-jacking in the past would usually drop it after several weeks, as they discover that browser-based cryptocurrency-mining is not an efficient way to make a profit.
