New research identifies malicious cryptojacking operations

6/27/2019 Joseph Park and Ryann Monahan, ECE

Written by Joseph Park and Ryann Monahan, ECE

Three CSL professors were on a team that recently released a report highlighting the dangers of cryptojacking.

The team included CSL faculty Michael Bailey, Nikita Borisov, and Andrew Miller, electrical and computer engineering faculty Joshua Mason and Amin Kharraz, and computer sciences graduate students Zane Ma and Paul Murley as well as a team from the Georgia Institute of Technology came together to perform an internet-scale analysis of this new threat. 

Cryptojacking is a form of resource abuse that leverages end-user's machines to mine cryptocurrency without obtaining the user's consent. In a typical workflow, users visit websites where cryptojacking operators have placed JavaScript code that is loaded alongside the web page in the user’s browser. This JavaScript code causes the user’s browser to mine cryptocurrency as part of a mining pool. Any cryptocurrency and associated value from the mining operations are kept by the crypto currency operator. While such mining can be used for benign purposes (e.g., as an alternative to advertising), the researchers found the overwhelming majority of such mining was not visible to the end user and was happening without user consent. 

In-browser Cryptojacking Workflow
In-browser Cryptojacking Workflow

To perform their analysis, researchers developed an automated tool called Outguard to identify cryptojacking operations and used it to classify millions of websites on the public internet. Their analysis discovered more than 6,300 cryptojacking websites; 57% more websites than detected by existing techniques. While CoinHive and JSeCoin were both well reported cryptojacking operations, Outguard enabled the discovery of twenty-four previously unseen mining services.  These mining services were free or were charging as low as 1--3% which is significantly less expensive than normal mining pool fees (i.e., 10--30% of the generated revenue) in more well-known mining services. These less expensive services could make the entire operation more attractive for “cost-sensitive” operators.  

Researchers also noticed cryptojacking websites organized into campaigns, indicating single entities receive the generated revenue from collections of cryptojacking websites. The authors detected 35 campaigns during their experiments, and identified 16 campaigns that were using the less expensive or free mining services. One of the detected campaigns was controlling 121 websites by incorporating a unique mining key --  an identification parameter to receive mining tasks. All the 121 clustered domains were registered under anonymous WHOIS services and were mostly pointing to cloud-hosting services. The campaign’s usage of multiple anonymous WHOIS services, globally distributed cloud hosting, and large number of fungible, human-meaningless domains hint at evasion techniques to bypass common defense mechanisms such as reputation-based approaches.

The work received the best paper award at The Web Conference 2019. Organized by the International World Wide Web Conference Committee, The Web Conference (formerly known as WWW) is an annual international conference which “aims to provide the world with a premier forum for discussion and debate about the evolution of the Web, the standardization of its associated technologies, and the impact of those technologies on society and culture.” The work was one of the two best papers selected from the 225 accepted, peer-reviewed publications and a field of 1247 submissions.  

This work was supported by the National Science Foundation (NSF) under grant CNS-1518741 award.


Share this story

This story was published June 27, 2019.