MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense

A wave of alternative coins that can be effectively mined without specialized hardware, and a surge in cryptocurrencies' market value has led to the development of cryptocurrency mining ( cryptomining ) services, such as Coinhive, which can be easily integrated into websites to monetize the computational power of their visitors. While legitimate website operators are exploring these services as an alternative to advertisements, they have also drawn the attention of cybercriminals: drive-by mining (also known as cryptojacking ) is a new web-based attack, in which an infected website secretly executes JavaScript code and/or a WebAssembly module in the user's browser to mine cryptocurrencies without her consent. In this paper, we perform a comprehensive analysis on Alexa's Top 1 Million websites to shed light on the prevalence and profitability of this attack. We study the websites affected by drive-by mining to understand the techniques being used to evade detection, and the latest web technologies being exploited to efficiently mine cryptocurrency. As a result of our study, which covers 28 Coinhive-like services that are widely being used by drive-by mining websites, we identified 20 active cryptomining campaigns. Motivated by our findings, we investigate possible countermeasures against this type of attack. We discuss how current blacklisting approaches and heuristics based on CPU usage are insufficient, and present MineSweeper, a novel detection technique that is based on the intrinsic characteristics of cryptomining code, and, thus, is resilient to obfuscation. Our approach could be integrated into browsers to warn users about silent cryptomining when visiting websites that do not ask for their consent.

[1]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[2]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[3]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[4]  Lorrie Faith Cranor,et al.  Americans' attitudes about internet behavioral advertising practices , 2010, WPES '10.

[5]  Carsten Willems,et al.  Automated Identification of Cryptographic Primitives in Binary Programs , 2011, RAID.

[6]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[7]  Jean-Yves Marion,et al.  Aligot: cryptographic function identification in obfuscated binary programs , 2012, CCS.

[8]  Stefan Savage,et al.  Manufacturing compromise: the emergence of exploit-as-a-service , 2012, CCS.

[9]  Christopher Krügel,et al.  Delta: automatic identification of unknown web-based infection campaigns , 2013, CCS.

[10]  Davide Balzarotti,et al.  Behind the Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web , 2013, NDSS.

[11]  Gianluca Stringhini,et al.  The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements , 2014, Internet Measurement Conference.

[12]  Stefan Savage,et al.  Botcoin: Monetizing Stolen Cycles , 2014, NDSS.

[13]  Thomas C. Schmidt,et al.  Cashing Out the Great Cannon? On Browser-Based DDoS Attacks and Economics , 2015, WOOT.

[14]  Christopher Krügel,et al.  Meerkat: Detecting Website Defacements through Image-based Object Recognition , 2015, USENIX Security Symposium.

[15]  Vijay Erramilli,et al.  I always feel like somebody's watching me: measuring online behavioural advertising , 2014, CoNEXT.

[16]  Ruby B. Lee,et al.  CloudRadar: A Real-Time Side-Channel Attack Detection System in Clouds , 2016, RAID.

[17]  Andrea Baronchelli,et al.  Bitcoin ecology: Quantifying and modelling the long-term dynamics of the cryptocurrency market , 2017, ArXiv.

[18]  Nikita Borisov,et al.  Mining on Someone Else's Dime: Mitigating Covert Mining Operations in Clouds and Enterprises , 2017, RAID.

[19]  Jiang Ming,et al.  Cryptographic Function Detection in Obfuscated Binaries via Bit-Precise Symbolic Loop Mapping , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[20]  Luke Wagner Turbocharging the web , 2017, IEEE Spectrum.

[21]  Alon Zakai,et al.  Bringing the web up to speed with WebAssembly , 2017, PLDI.

[22]  Evangelos P. Markatos,et al.  The Cost of Digital Advertisement: Comparing User and Advertiser Views , 2018, WWW.

[23]  Jan Rüth,et al.  Digging into Browser-based Crypto Mining , 2018, Internet Measurement Conference.

[24]  Katharina Krombholz,et al.  Investigating System Operators' Perspective on Security Misconfigurations , 2018, CCS.

[25]  Kevin W. Hamlen,et al.  SEISMIC: SEcure In-lined Script Monitors for Interrupting Cryptojacks , 2018, ESORICS.

[26]  Jeremy Clark,et al.  A First Look at Browser-Based Cryptojacking , 2018, 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[27]  Evangelos P. Markatos,et al.  Truth in Web Mining: Measuring the Profitability and Cost of Cryptominers as a Web Monetization Model , 2018, ArXiv.

[28]  Neil Gandal,et al.  The Rise and Fall of Cryptocurrencies , 2018 .

[29]  Marco Balduzzi,et al.  Investigating Web Defacement Campaigns at Large , 2018, AsiaCCS.