Cyber criminals shut down parts of the Web in October 2016 by attacking the computers that serve as the internet’s switchboard. Their weapon of choice? Poorly secured Web cameras and other internet-connected gadgets that have collectively come to be known as the Internet of Things (IoT). The attack created a minor panic among people trying to visit Sony PlayStation Network, Twitter, GitHub and Spotify’s Web sites, but it had little long-term effect on internet use or the hijacked devices. Less than two years later, however, security experts are sounding the alarm over a new and possibly more nefarious type of IoT attack that “cryptojacks” smart devices, surreptitiously stealing their computing power to help cyber criminals make digital money.
Cryptocurrencies — so called because they use cryptography to secure transactions and mint new virtual coins — are generated when computers loaded with “cryptomining” software perform complex mathematical calculations. The calculations themselves serve no practical purpose, but the faster the computers complete them the more electronic money they make. Cryptojacking (a mashup of the words “cryptocurrency” and “hijacking”) occurs anytime someone uses another person’s internet-connected device without permission to “mine” Ethereum, Monero or some other virtual cash. (Bitcoins are a lot more valuable, but this well-known cryptocurrency is more likely to be created using warehouses of servers rather than someone’s stolen processing power).
Cyber criminals steal that power by sneaking malicious software containing cryptomining code onto PCs, smartphones and other internet-connected devices that, once infected, divert some of their processors’ capacity into solving the aforementioned calculations. Another type of cryptojacking attack occurs when internet users are tricked into visiting Web sites containing code that grabs part of their device’s processing power for as long as they visit the site. To entice people to stay, those sites tend to offer free pornography or pirated content. Victims usually have no idea their device has been coopted — although they might wonder why their batteries drain so quickly.
“When mining for gold, the person who works hardest with their pickaxe makes the most money,” says Richard Enbody, an associate computer science and engineering professor at Michigan State University. “In cryptomining, the pickaxe is an algorithm. The more complex the calculations it performs, the more processing power and energy it uses and the more money it earns.”
The latest trend is for criminals to infect appliances and other internet-connected devices with unwanted cryptomining software, Sherri Davidoff, CEO of cyber security firm LMG Security, said during a recent IoT cryptojacking webinar. “Many of these devices are unmonitored and highly vulnerable to simple attacks that exploit weak passwords and unpatched vulnerabilities,” Davidoff said. Nearly every case LMG is currently investigating has turned up cryptomining software, in addition to whatever other malware criminals installed on their victims’ computers, she added.