Figure 9 - uploaded by Shayan Eskandari
Content may be subject to copyright.
Comparison of CPU usage of browser without and with browser mining enabled. 

Comparison of CPU usage of browser without and with browser mining enabled. 

Source publication
Conference Paper
Full-text available
In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar code- bases. In this model, a user visiting a website will download a JavaScript code that executes client-side in her browser, mines a cryptocurrency, typically without her consent or knowledge,...

Contexts in source publication

Context 1
... user implementing the script must include a throttle value to reduce the client-side CPU usage during mining operations. We show an example in Figure 9. ...
Context 2
... cryptojacking scripts discovered were configured to use around 25% of user's CPU, which can be justified as it will be under the threshold of attracting the user's attention, and it could be argued as fair-usage of their hardware. During the first few days, however, there were some reports of 100% CPU usage while visiting websites containing these scripts [34], which can be characterized as malicious. By default, the Coinhive JavaScript library will use all available CPU resources. The user implementing the script must include a throttle value to reduce the client-side CPU usage during mining operations. We show an example in Figure 9. ...
Context 3
... cryptojacking scripts discovered were configured to use around 25% of user's CPU, which can be justified as it will be under the threshold of attracting the user's attention, and it could be argued as fair-usage of their hardware. During the first few days, however, there were some reports of 100% CPU usage while visiting websites containing these scripts [34], which can be characterized as malicious. By default, the Coinhive JavaScript library will use all available CPU resources. The user implementing the script must include a throttle value to reduce the client-side CPU usage during mining operations. We show an example in Figure 9. ...

Citations

... Resource squatting. A line of works [37], [41], [62] have revealed cryptojacking wherein device computing resources are abused by miscreants for cryptocurrency mining. In addition, another abuse scenario is the unauthorized monetization of residential and mobile devices into web proxies to relay third-party network traffic [59], [60]. ...
Preprint
As an emerging service for in-browser content delivery, peer-assisted delivery network (PDN) is reported to offload up to 95\% of bandwidth consumption for video streaming, significantly reducing the cost incurred by traditional CDN services. With such benefits, PDN services significantly impact today's video streaming and content delivery model. However, their security implications have never been investigated. In this paper, we report the first effort to address this issue, which is made possible by a suite of methodologies, e.g., an automatic pipeline to discover PDN services and their customers, and a PDN analysis framework to test the potential security and privacy risks of these services. Our study has led to the discovery of 3 representative PDN providers, along with 134 websites and 38 mobile apps as their customers. Most of these PDN customers are prominent video streaming services with millions of monthly visits or app downloads (from Google Play). Also found in our study are another 9 top video/live streaming websites with each equipped with a proprietary PDN solution. Most importantly, our analysis on these PDN services has brought to light a series of security risks, which have never been reported before, including free riding of the public PDN services, video segment pollution, exposure of video viewers' IPs to other peers, and resource squatting. All such risks have been studied through controlled experiments and measurements, under the guidance of our institution's IRB. We have responsibly disclosed these security risks to relevant PDN providers, who have acknowledged our findings, and also discussed the avenues to mitigate these risks.
... In a concurrent work, Saad et al. [20] conducted a similar study, but on a larger number of websites; 5703 sites in total. Concurrently, Eskandari et al. [8] examined the prevalence of cryptojacking among websites and the use of Coinhive as the most popular platform for cryptojacking. All of these studies highlight the issue of cryptojacking through measurements, and the emerging use of cryptojacking as an alternative to online ads. ...
Preprint
Full-text available
Cryptocurrencies, arguably the most prominent application of blockchains, have been on the rise with a wide mainstream acceptance. A central concept in cryptocurrencies is "mining pools", groups of cooperating cryptocurrency miners who agree to share block rewards in proportion to their contributed mining power. Despite many promised benefits of cryptocurrencies, they are equally utilized for malicious activities; e.g., ransomware payments, stealthy command, control, etc. Thus, understanding the interplay between cryptocurrencies, particularly the mining pools, and other essential infrastructure for profiling and modeling is important. In this paper, we study the interplay between mining pools and public clouds by analyzing their communication association through passive domain name system (pDNS) traces. We observe that 24 cloud providers have some association with mining pools as observed from the pDNS query traces, where popular public cloud providers, namely Amazon and Google, have almost 48% of such an association. Moreover, we found that the cloud provider presence and cloud provider-to-mining pool association both exhibit a heavy-tailed distribution, emphasizing an intrinsic preferential attachment model with both mining pools and cloud providers. We measure the security risk and exposure of the cloud providers, as that might aid in understanding the intent of the mining: among the top two cloud providers, we found almost 35% and 30% of their associated endpoints are positively detected to be associated with malicious activities, per the virustotal.com scan. Finally, we found that the mining pools presented in our dataset are predominantly used for mining Metaverse currencies, highlighting a shift in cryptocurrency use, and demonstrating the prevalence of mining using public clouds.
... There are two main ways hackers can secretly search for cryptocurrency on a victim's computer. One is to trick victims into downloading an encryption code to their computer or injecting a script into an advertisement on one or more websites (Eskandari et al., 2018). The code runs complex math problems on victims' computers and sends the results to a server controlled by hackers. ...
Article
Full-text available
Teknolojinin gelişmesiyle birlikte bilgi teknolojisi dijital veriler hayatın vazgeçilmez bir alan ve dijital veri servislerini kullanarak sunulması zorunlu hale gelmiştir. Her gün bankalar ve kullanıcılar tarafından para işlemleri, satın almalar ve para havaleleri yapılmaktadır . Kağıt sistemlerden dijital sistemlere geçişle birlikte kullanıcı sayısı her geçen gün artıyor ancak bu sistemlerle ilgili endişeler bulunmaktadır. Modern teknolojilerde bilgi hırsızlığı olasılığı ve siber saldırı riski ve ihlal korkusu finansal kayıplara yol açabileceği endişesi sürekli yaşanmaktadır. Bu tür dijital para işlemleri, kullanıcıların kişisel verilerini ve gizliliğini taşıdığı için herkesin doğru işlemleri güvenilir bir şekilde tamamlaması gerekmektedir. Finansal işlemlerin ve dijital para birimlerinin günlük yaşamdaki büyük önemi nedeniyle, bu makalede dijital para biriminin özelliklerini ve sahteciliğe nasıl önlem alınması gerektiği açıklanmaktadır. Ayrıca böyle bir kripto para birimini kullanmak için güvenli olan araçların neler olduğunu analiz edilecektir. Bu işlemlerde kullanılan algoritma mekanizmalarının ele alabileceği riskler incelenerek güvenlik sorunları anlatılmaktadır. Ayrıca kripto paranın güvenlik yöntemleri, algoritmaları, dijital para siber saldırı yöntemleri ve güvenlik önlemleri incelenmiştir.
... In September 2017, the web mining technology Eskandari [18] appeared and became popular. Later on, Coinhive mining scripts [19] were found on the web pages of the world's largest BitTorrent website, Pirate Bay. ...
... In other words, any device that can execute JavaScript and connect to the network can participate in mining cryptocurrencies, and higher website traffic means higher revenues, which was the idea that prompted Coinhive to evolve. (2) Coinhive: Coinhive [18] proposed a browser mining script in September 2017 that was very similar to BitcoinPlus.com. The difference between Coinhive and BitcoinPlus.com is that Coinhive mines Monero, and BitcoinPlus.com ...
... This behavior causes many users to experience slower computer speeds when browsing these web pages, affecting their operations on their computers. Secretly using a browser user's computer resources for mining to earn profits, known as Cryptojacking [18], has become an attack type that consumes the user's computation resources without the user's consent. As shown in Figure 2, the CPU usage is very high when browsing web pages with embedded mining scripts. ...
Article
Full-text available
Coinhive released its browser-based cryptocurrency mining code in September 2017, and vicious web page writers, called vicious miners hereafter, began to embed mining JavaScript code into their web pages, called mining pages hereafter. As a result, browser users surfing these web pages will benefit mine cryptocurrencies unwittingly for the vicious miners using the CPU resources of their devices. The above activity, called Cryptojacking, has become one of the most common threats to web browser users. As mining pages influence the execution efficiency of regular programs and increase the electricity bills of victims, security specialists start to provide methods to block mining pages. Nowadays, using a blocklist to filter out mining scripts is the most common solution to this problem. However, when the number of new mining pages increases quickly, and vicious miners apply obfuscation and encryption to bypass detection, the detection accuracy of blacklist-based or feature-based solutions decreases significantly. This paper proposes a solution, called MinerGuard, to detect mining pages. MinerGuard was designed based on the observation that mining JavaScript code consumes a lot of CPU resources because it needs to execute plenty of computation. MinerGuard does not need to update data used for detection frequently. On the contrary, blacklist-based or feature-based solutions must update their blocklists frequently. Experimental results show that MinerGuard is more accurate than blacklist-based or feature-based solutions in mining page detection. MinerGuard’s detection rate for mining pages is 96%, but MinerBlock, a blacklist-based solution, is 42.85%. Moreover, MinerGuard can detect 0-day mining pages and scripts, but the blacklist-based and feature-based solutions cannot.
... Due to the adoption and prosperity of cryptocurrencies, unsolicited cryptomining (cryptojacking) emerges to become an increasing cyber threat. Eskandari et al. [15] and Hong et al. [18] takes the first steps to profile in-browser cryptojacking. Naseem et al. [28] steps forward to propose a real-time detection system targeting cryptojacking. ...
Preprint
Full-text available
We carry out the first in-depth characterization of residential proxies (RESIPs) in China, for which little is studied in previous works. Our study is made possible through a semantic-based classifier to automatically capture RESIP services. In addition to the classifier, new techniques have also been identified to capture RESIPs without interacting with and relaying traffic through RESIP services, which can significantly lower the cost and thus allow a continuous monitoring of RESIPs. Our RESIP service classifier has achieved a good performance with a recall of 99.7% and a precision of 97.6% in 10-fold cross validation. Applying the classifier has identified 399 RESIP services, a much larger set compared to 38 RESIP services collected in all previous works. Our effort of RESIP capturing lead to a collection of 9,077,278 RESIP IPs (51.36% are located in China), 96.70% of which are not covered in publicly available RESIP datasets. An extensive measurement on RESIPs and their services has uncovered a set of interesting findings as well as several security implications. Especially, 80.05% RESIP IPs located in China have sourced at least one malicious traffic flows during 2021, resulting in 52-million malicious traffic flows in total. And RESIPs have also been observed in corporation networks of 559 sensitive organizations including government agencies, education institutions and enterprises. Also, 3,232,698 China RESIP IPs have opened at least one TCP/UDP ports for accepting relaying requests, which incurs non-negligible security risks to the local network of RESIPs. Besides, 91% China RESIP IPs are of a lifetime less than 10 days while most China RESIP services show up a crest-trough pattern in terms of the daily active RESIPs across time.
... With the rapid development of blockchain technology [26] and the continuous growth of digital cryptocurrency value, the abuse of users' computers for cryptocurrency mining by attackers become increasingly severe [9]. According to the report of Tencent Security [33] on cryptojacking, a large number of attackers first exploit software vulnerabilities or (weak login passwords) to invade the computing system. ...
Article
Full-text available
With the increasing value of digital cryptocurrency in recent years, the digital cryptocurrency mining industry is becoming prosperous. However, this industry has also gained attention from adversaries who exploit users’ computers to mine cryptocurrency covertly. To detect cryptojacking attacks, many static and dynamic methods are proposed. However, the existing solutions still have some limitations in terms of effectiveness, performance, and transparency. To address these issues, we present CJSpector, a novel hardware-based approach for cryptojacking detection. This method first leverages the Intel Processor Trace mechanism to collect the run-time control flow information of a web browser. Next, CJSpector makes use of two optimization approaches based on the library functionality and information gain to preprocess the control flow information. Finally, it leverages Recurrent Neural Network (RNN) for cryptojacking detection. The evaluation shows that our method can detect in-browser covert cryptocurrency mining effectively and transparently with a small performance cost.
... In [14], they analyze in-browser mining trends based on Monero cryptocurrency. In this case, the user visiting a website pushes JavaScript code that executes stealthily in the browser to mine cryptocurrency. ...
Article
Full-text available
Electric vehicles (EVs) are becoming popular due to their efficiency, eco-friendliness, and the increasing cost of fossil fuel. EVs support a variety of apps because they house powerful processors and allow for increased connectivity. This makes them an attractive target of stealthy cryptomining malware. Recent incidents demonstrate that both the EV and its communication model are vulnerable to cryptojacking attacks. The goal of this research is to explore the extent to which cryptojacking impacts EVs in terms of recharging and cost. We assert that while cryptojacking provides a financial advantage to attackers, it can severely degrade efficiency and cause battery loss. In this paper we present a simulation model for connected EVs, the cryptomining software, and the road infrastructure. A novel framework is proposed that incorporates these models and allows an objective quantification of the extent of this economic damage and the advantage to the attacker. Our results indicate that batteries of infected cars drain more quickly than those of normal cars, forcing them to return more frequently to the charging station for a recharge. When just 10% of EVs are infected we observed 70.6% more refueling requests. Moreover, if the hacker infects a charging station then he can make a USD 436.4 profit per day from just 32 infected EVs. Overall, our results demonstrate that cryptojackers injected into EVs indirectly provide a financial advantage to the charging stations at the cost of an increased energy strain on society.
... -The profit of cryptojacking is attractive because it is not a one-off profit, but a long-term income for the attackers [21]. In addition, its cost is relatively low, which makes it difficult for criminals difficult to desist. ...
Article
Cryptojacking is a type of resource embezzlement attack, wherein an attacker secretly executes the cryptocurrency mining program in the target host to gain profits. It has been common since 2017, and in fact, it once became the greatest threat to network security. To better prove the attack ability the harm caused by cryptojacking, this paper proposes a new covert browser-based mining attack model named Delay-CJ, this model was deployed in a simulation environment for evaluation. Based on the general framework of cryptojacking, Delay-CJ adds hybrid evasion detection techniques and applies the delayed execution strategy specifically for video websites in the prototype implementation. The results show that the existing detection methods used for testing may become invalid as result of this model. In view of this situation, to achieve a more general and robust detection scheme, we built a cryptojacking detection system named CJDetector, which is based on cryptojacking process features. Specifically, it identifies malicious mining by monitoring CPU usage and analyzing the function call information. This system not only effectively detects the attack in our example but also has universal applicability. The recognition accuracy of CJDetector reaches 99.33%. Finally, we tested the web pages in Alexa 50K websites to investigate cryptojacking activity in the real network. We found that although cryptojacking is indeed on the decline, it remains a part of network security threats that cannot be ignored.
... Due to the lack of basic security protocols and measures, IoT devices have become easy targets for exploitations and recruitment within coordinated IoT botnets [9], causing significant damage to the Internet and its related infrastructure. Such IoT botnets could perform malicious activities such as malware attacks, social engineering attacks, Distributed Denial of Service (DDoS) attacks, illicit scraping, and cryptojacking attacks [10,11,16,22,27]. ...
Conference Paper
Full-text available
The explosive growth of the Internet-of-Things (IoT) paradigm has brought the rise of malicious activity targeting the Internet. Indeed, the lack of basic security protocols and measures in IoT devices is allowing attackers to use exploited Internet-scale IoT devices to organize malicious botnets, and cause significant damage to the Internet through Denial of Service (DoS) attacks, illicit scraping, and cryptojacking attacks. Such IoT botnets can be Internet-facing, or can also be deployed behind Network Address Translation (NAT) gateways that provide anonymity to the exploited bots. In this paper, we aim at detecting compromised IoT bots behind NAT gateways which could possibly generate malicious activities towards the Internet by leveraging large-scale macroscopic one-way darknet data. To the best of our knowledge, we are among the first to explore the capabilities of attentive inter-pretable tabular transformers to capture the nature of such nodes operating on one-way network traffic. Our results, which employed 2.6GB of darknet data, show that our approach was able to classify malware-infected NATed IoT bots with an accuracy of 93%, outperforming the state-of-the-art machine learning (ML) approaches. Additionally, we were able to infer around 4 million Internet-scale Mirai-infected NATed IoT bots and 16,871 unique NATed IP addresses. Results from this work put forward interesting future work in the area of network traffic analysis of NATed IoT bots for better Internet security, while highlighting the need for addressing the notions of attention and interpretability.
... It is important to keep in mind that most research in intelligent malware defense also targets specific platforms, and this has a great effect on the used input features. Recent ransomware [4] and cryptojacking malware [5] are well-known for attacking desktops. A major strain in research therefore targets desktop malware, most frequently Windows-based malware. ...
Chapter
With rapidly evolving threat landscape surrounding malware, intelligent defenses based on machine learning are paramount. In this chapter, we review the literature proposed in the past decade and identify the state-of-the-art in various related research directions—malware detection, malware analysis, adversarial malware, and malware author attribution. We discuss challenges that emerge when machine learning is applied to malware. We also identify the key issues that need to be addressed by the research community in order to further deepen and systematize research in the malware domain.