The rise of cryptocurrency has meant many things: An alternative method for funding startups, a record-keeping paradigm that could transform government operations and a new path for criminals to get paid.
Recently it has also meant the advent of “cryptojacking.”
In simple terms, cryptojacking is when a hacker slips code into a website or piece of software that uses some end users’ computing power to validate cryptocurrency transactions. That validation process, called “mining,” earns digital coins for the person who carries it out — and it rewards people with more processing power, giving an incentive to miners to use as much computing resources as they can get their hands on.
It’s a pretty new concept. Michael Roling, chief information security officer of the state of Missouri, said he started noticing cryptojacking activity about half a year ago.
A recent cryptojacking operation highlighted how this threatens government. Over a span of about four hours, hackers infected thousands of websites — many of them belonging to state and local governments in the U.S. — with code to force those sites’ visitors to mine the cryptocurrency Monero.
The hackers accomplished this not by attacking the websites themselves, but a third-party service those websites use called Browsealoud. The service, from the company Texthelp, is accessibility software to help people consume website content. And it relies on websites embedding code.
So, all the hackers had to do was gain access to Browsealoud’s code and direct the script to load the cryptomining software. Instantly, any website using that version of the script was hijacked for the hacker’s purposes.
In that case, the hackers used a service called Coinhive, legitimate software for mining Monero. Website owners use the software to mine the cryptocurrency using visitors’ computing power, but the creators intended for it to be used for things like monetizing Web traffic without advertising. Coinhive’s terms of service specifically forbid cryptojacking.
The problem with cryptojacking is that it’s tough for a website manager to know it’s happening — the attack affects end users, not the website itself.
Scott Helme, a security researcher in the United Kingdom who noticed the cryptojacking operation, wrote that using subresource integrity attributes might be a good way for website managers to avoid loading hacked scripts, though that approach might not work for everybody.