Visible to the public How You Get Shot in the Back: A Systematical Study About Cryptojacking in the Real World

TitleHow You Get Shot in the Back: A Systematical Study About Cryptojacking in the Real World
Publication TypeConference Paper
Year of Publication2018
AuthorsHong, Geng, Yang, Zhemin, Yang, Sen, Zhang, Lei, Nan, Yuhong, Zhang, Zhibo, Yang, Min, Zhang, Yuan, Qian, Zhiyun, Duan, Haixin
Conference NameProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
Date PublishedJanuary 2018
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-5693-0
Keywordsbrowser security, cryptocurrency mining, cryptojacking, Human Behavior, malicious javascript, Metrics, pubcrawl, resilience, Resiliency
Abstract

As a new mechanism to monetize web content, cryptocurrency mining is becoming increasingly popular. The idea is simple: a webpage delivers extra workload (JavaScript) that consumes computational resources on the client machine to solve cryptographic puzzles, typically without notifying users or having explicit user consent. This new mechanism, often heavily abused and thus considered a threat termed "cryptojacking", is estimated to affect over 10 million web users every month; however, only a few anecdotal reports exist so far and little is known about its severeness, infrastructure, and technical characteristics behind the scene. This is likely due to the lack of effective approaches to detect cryptojacking at a large-scale (e.g., VirusTotal). In this paper, we take a first step towards an in-depth study over cryptojacking. By leveraging a set of inherent characteristics of cryptojacking scripts, we build CMTracker, a behavior-based detector with two runtime profilers for automatically tracking Cryptocurrency Mining scripts and their related domains. Surprisingly, our approach successfully discovered 2,770 unique cryptojacking samples from 853,936 popular web pages, including 868 among top 100K in Alexa list. Leveraging these samples, we gain a more comprehensive picture of the cryptojacking attacks, including their impact, distribution mechanisms, obfuscation, and attempts to evade detection. For instance, a diverse set of organizations benefit from cryptojacking based on the unique wallet ids. In addition, to stay under the radar, they frequently update their attack domains (fastflux) on the order of days. Many attackers also apply evasion techniques, including limiting the CPU usage, obfuscating the code, etc.

URLhttps://dl.acm.org/doi/10.1145/3243734.3243840
DOI10.1145/3243734.3243840
Citation Keyhong_how_2018