That open tab in the background of the browser you’re looking at right now could be slowing your computer to a crawl. If you’re reading on a smartphone, it could even fry your device.

Cryptomining is the hottest thing in cybercrime right now, and many victims don’t even know they’ve been affected. Cryptomining software hijacks personal computers and mobile devices and turns them into nodes on large networks that create cryptocurrencies. “Mining” in this context means validating transactions by solving mathematical problems. Each successful solution generates a small amount of income for the miner in the form of one of the more than 1,500 cryptocurrencies that are on the market.

“It’s extremely hard to detect,” said Alex Vaystikh, chief technology officer at SecBI Ltd., which makes a cyber threat detection and network traffic analysis platform. “It’s basically a denial-of-service attack against your CPU.”

Attackers can avoid the often substantial cost of the hardware needed for mining by hijacking other people’s computers and diverting part of their processing speed to the task. The more compromised systems they can lash together, the bigger their return. One cryptomining operation that was uncovered last week affected an estimated 30 million computers.

What makes this new form of attack different from those that preceded it is that developers have figured out ways to hijack client machines from within a browser window. “It doesn’t actually require an infection, which is a lot more sinister that malware, in a way, because anybody can mine for coins,” said Jérôme Segura, lead malware intelligence analyst at Malwarebytes Inc.

Malware in the browser

Thieves are taking advantage of the fact that browsers have gotten a lot more capable in recent years. Every browser can run JavaScript programs, and most also support Web Assembly, a component of the HTML5 standard that enables complex browser-based applications to run nearly as fast as they would natively on a desktop.

The rewards are so attractive — and the risks so small — that Malwarebytes recently reported that cryptomining is on track to surpass the data-encrypting ransomware as the fastest-growing form of malware. “It’s a more sensible and straightforward way to make money without the trouble of encrypting files,”  said. “You don’t need to bypass detection, and if you stay for 10 minutes you can generate 10 cents.”

How lucrative is it? Cisco Systems Inc.’s Talos security unit this week estimated that a miner who can rope together just 2,000 PCs can generate $500 a day worth of cryptocurrency, or $182,500 per year. Botnets with a few million compromised systems “could be leveraged to generate more than $100 million per year,” Talos researchers wrote.

How it works

Cryptomining software is delivered in two basic forms. One is as conventional malware, which is spread through email attachments, or by a user clicking on a malicious link. Malware has a signature, so it can be caught by antivirus software.

The browser-based versions are more insidious. Website operators need embed only a small amount of JavaScript code to connect visitors to a cryptomining network such as Coinhive, which advertises its service as a way for website operators to improve visitor engagement and deliver better services by earning money from cryptomining rather than advertising. Coinhive steals a percentage of each connected processor and adds it to a giant distributed processing network.

A second, more sophisticated approach uses Web Assembly to deliver compiled software modules to the browser. That code runs faster and thus generates bigger returns for miners.

Cryptomining software works on any browser and can hijack any processor. That means miners can potentially co-opt anything with a processor, from simple Raspberry Pi devices to smart exercise equipment. “We expect smart TVs and USB devices will soon come pre-infected,” said SecBI’s Vaystikh.

Miners favor Monero, a type of currency that is considered highly secure and untraceable. “It’s anonymous, and criminals appreciate that,” Segura said. Another advantage of Monero is that it’s designed to be mined on a network of off-the-shelf processors. In contrast, bitcoin has become such a big business that expensive server farms are the only practical way to mine it.

Technically legal

There’s nothing illegal about cryptomining when the practice is disclosed. Where things get fuzzy is when website owners don’t tell their visitors that their devices have been hijacked. But those website owners themselves may not even know. “We’ve started seeing waves of legitimate websites and WordPress blogs getting hacked and injected with the mining scripts,” Segura said. YouTube was recently caught serving up cryptomining code via advertisements that had been legitimately purchased on Google’s DoubleClick ad network.

It’s nearly impossible for antimalware software to detect browser-based cryptomining software. About the only way to tell that a computer has been compromised is to monitor for network requests to JavaScript mining services. At one point last year, Malwarebytes was blocking 8 million requests a day to Coinhive.com, but “today there are a lot of copycats and other services using various proxies that make it much harder to block,” Segura said. “We don’t have as good an idea of the impact of cryptomining as we used to.”

The best way to tell if your computer has been hijacked is to watch for sudden and dramatic slowdowns in performance. Check the Task Manager on Windows or Activity Monitor on Macintosh to see if your browser is the culprit. If closing browser tabs restores normal performance, then a cryptominer is probably the culprit.

If there’s a silver lining, it’s that the only thing cryptomining software steals from its victims is processing power. However, that can add up to frustration and a significant impact on productivity across a large network of PCs inside a company. Also, though running CPUs at 100 percent won’t damage PCs, it can potentially overheat and destroy mobile devices.

Image: Wikimedia Commons