MineSweeper: An in-depth look into drive-by cryptocurrency mining and its defense

Radhesh Krishnan Konoth, Emanuele Vineti, Veelasha Moonsamy, Martina Lindorfer, Christopher Kruegel, Herbert Bos, Giovanni Vigna

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

1901 Downloads (Pure)

Abstract

A wave of alternative coins that can be effectively mined without specialized hardware, and a surge in cryptocurrencies’ market value has led to the development of cryptocurrency mining (cryptomining) services, such as Coinhive, which can be easily integrated into websites to monetize the computational power of their visitors. While legitimate website operators are exploring these services as an alternative to advertisements, they have also drawn the attention of cybercriminals: drive-by mining (also known as cryptojacking) is a new web-based attack, in which an infected website secretly executes JavaScript code and/or a WebAssembly module in the user’s browser to mine cryptocurrencies without her consent. In this paper, we perform a comprehensive analysis on Alexa’s Top 1 Million websites to shed light on the prevalence and profitability of this attack. We study the websites affected by drive-by mining to understand the techniques being used to evade detection, and the latest web technologies being exploited to efficiently mine cryptocurrency. As a result of our study, which covers 28 Coinhive-like services that are widely being used by drive-by mining websites, we identified 20 active cryptomining campaigns. Motivated by our findings, we investigate possible countermeasures against this type of attack. We discuss how current blacklisting approaches and heuristics based on CPU usage are insufficient, and present MineSweeper, a novel detection technique that is based on the intrinsic characteristics of cryptomining code, and, thus, is resilient to obfuscation. Our approach could be integrated into browsers to warn users about silent cryptomining when visiting websites that do not ask for their consent.

Original languageEnglish
Title of host publicationCCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages1714-1730
Number of pages17
ISBN (Electronic)9781450356930
DOIs
Publication statusPublished - 15 Oct 2018
Event25th ACM Conference on Computer and Communications Security, CCS 2018 - Toronto, Canada
Duration: 15 Oct 2018 → …

Conference

Conference25th ACM Conference on Computer and Communications Security, CCS 2018
Country/TerritoryCanada
CityToronto
Period15/10/18 → …

Funding

This research was supported by the MALPAY consortium, consisting of the Dutch national police, ING, ABN AMRO, Rabobank, Fox-IT, and TNO. This paper represents the position of the authors and not that of the aforementioned consortium partners. This project further received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 786669. Any dissemination of results must indicate that it reflects only the authors’ view and that the Agency is not responsible for any use that may be made of the information it contains. This material is also based upon research sponsored by DARPA under agreement number FA8750-15-2-0084, by the ONR under Award No. N00014-17-1-2897, by the NSF under Award No. CNS-1704253, SBA Research, and a Security, Privacy and Anti-Abuse award from Google. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, by our sponsors.

FundersFunder number
Dutch National Police
National Science Foundation
Office of Naval ResearchN00014-17-1-2897
Defense Advanced Research Projects AgencyFA8750-15-2-0084
Horizon 2020 Framework Programme690972, 786669

    Keywords

    • Cryptocurrency
    • Cryptojacking
    • Drive-by attacks
    • Malware
    • Mining

    Fingerprint

    Dive into the research topics of 'MineSweeper: An in-depth look into drive-by cryptocurrency mining and its defense'. Together they form a unique fingerprint.

    Cite this