You have to hand it to hackers. They’re constantly expanding our vocabulary. Terms like ‘ransomware botnet’ which would have elicited a quizzical if not skeptical response five years ago now dominate news headlines. It’s safe to say “cryptojacking,” can now be added to the lexicon.
Indeed, cryptojacking appears to be on the way to becoming a good reason for IT professionals to be reaching for the antacids in 2018. That being the case, it can be a hard concept to fully understand, especially since it occupies an area in the middle of a three-ring Venn diagram comprised of hacking, cryptocurrency, and economics.
What is cryptocurrency?
Cryptocurrency is complicated, and it’s new. For a better breakdown than I’d be able to provide, you can watch comedian John Oliver’s here. The main thing to know is that cryptocurrencies like bitcoin are regarded as being more secure, because they’re distributed across something called a blockchain.
What is a blockchain?
Rather than recording a bank transaction in a ledger somewhere, the blockchain “ledger” itself is rigorously processed, verified, and compared against many other computers processing the same information. This is the key reason cryptocurrency transmissions are considered harder to hack.
The distribution of these transactions isn’t without a cost – it’s enormously taxing for computers to be perpetually chugging through each and every one of them (250kWh per transaction), and it takes up an enormous amount of processing power (on par with the electrical usage of the nation of Denmark).
Cryptocurrencies like bitcoin accordingly have incentivized processing these transactions by introducing the concept of ‘mining’ currency, where you’re awarded units of currency for doing their grunt work. Transactions are processed, new units of currency are created, and ideally, everyone wins.
As this involves both the internet and money, we can safely say that naturally there are those people out there who have found ways of exploiting it: cryptojacking.
Rather than buying the computer parts to mine bitcoins et al. and pay the associated electrical bill, hackers have found a way to use your computer and have you pay for the utilities while they pocket the proceeds. The concept here isn’t especially new; the Search for ExtraTerrestrial Intelligence (SETI) has had a program to use your spare processor cycles (with permission) to sort through heaps of noise coming from outer space to see if any of them may be a greeting from outside our solar system since 1999, for instance. But permission is sorta a thing, especially these days.
Why cryptojacking is hard to block
What makes cryptojacking such a hard thing to block is the simple fact that just about any interaction online requires a request and fulfillment that involves your computer’s processor. While many web applications are used and their respective data are crunched on the side of the host computer (e.g. processing your checkout on Amazon), an enormous part of the web relies on what’s called “client-side processing,” where the behavior of the page is run on your computer or mobile device.
Slideshows, dropdown menus, shopping cart rules, and countless other features are run by scripts churning behind the scenes to make the websites you visit behave correctly, and each of them needs to download code to your computer with a set of instructions that are processed on your end.
As you can imagine, it’s not too much of a stretch to see that hackers would be able to take what’s at the core of internet traffic, i.e. processing interactions between multiple computers, and figure out a way to do it without your permission, or even you knowing it.
The same applies to applications downloaded to your device or computer… web browsers have built-in safeguards against exactly how many of your device’s resources a script can use, but installed programs have more latitude.
You’re familiar with the situation: Your computer or smartphone suddenly comes to a screeching halt because some software bit off more than its processor can chew. What was once more easily attributable to a few lines of sloppy code, could now be the only sign that your device is crunching numbers on someone else’s end to generate cryptocurrency–and it’s near impossible for a layperson to determine the difference between the two.
What Can Be Done?
As with any type of crime committed on- or offline, there’s really no easy answer, but the same general rules apply here that apply to basic cyber hygiene:
- Run antivirus and malware scans on a regular basis.
- Do a little background check before installing applications on your device.
- Don’t just click ‘Accept’ each time a website or application asks a question.
- If your computer suddenly starts running a lot more slowly after installing anything to it, try removing it to see if it reverts to normal.
Ultimately, the greatest tool in a cryptojacker’s kit is a lack of awareness on your part, so the more familiar you are with how your computer works and how it performs, the better prepared you’ll be to identify whether or not someone is mining on your dime.