Slow Computer? You Could Be Cryptojacked

Here's how to detect and prevent cryptomining malware.

Leah Zitter
Read +
Follow Us

If you’re one of the millions of people whose smartphone, tablet, or PC has been hacked by the latest malware this past year, you’re in good company. The websites of the San Diego zoo, the government of Chihuahua, Mexico, as well as official websites for the governments of Moldova and Bangladesh have also been hacked.

What does it mean to be cryptojacked, and why is your computer so slow? Here’s how you can detect whether your device has really been cryptojacked, prevent hackers from infecting your computer, or reverse the bug.

What is Cryptojacking?

Cyber hackers download a CoinHiveplug-in (or variation) to seed JavaScript codes on their homepages. Computers that browse these sites are infected with this code, and their CPUs hijacked to harvest coins that trickle back to the hackers. Cryptojacking, or stealth mining, is more pernicious than previous types of hacking in that you're unaware of it happening. With phishing or suspicious downloads, you know what you're doing and are given the choice.

Stealth mining, on the other hand, creeps into your browser and is the biggest malware trend in 2018 according to both Rick Holland of UK cyber security firm Digital Shadows and security researchers Malwarebytes. In 2017, AdGuard cited data from CoinHive Stratum Proxy that showed CoinHive was downloaded about 2,500 times a day. That’s huge! In contrast, jQuery (one of the most popular libraries used for more than 70% of the sites on the web) has only around 100,000 downloads per day.

That same year, security researcher Troy Mursch, of the blog Bad Packets Report, detected 30,000 websites with CoinHive’s software running in the background, slowing down computers and using huge amounts of electricity. June 2018, Mursch announced he’d found more than 100,000 websites vulnerable to this malware.

Even CoinHive reluctantly admitted its plug-in had evolved into a malicious force. "We cannot deny the opinion of a user that 'we invented a whole new breed of malware'," CoinHive told the Suddeutsche Zeitung newspaper. "We are not proud of it."

Smart hackers have recently started hacking your mobiles, tablets, and smartphones, too. In fact, this kind of hacking "can be on anything from mobile devices to IoT to laptops and desktops and servers. It can be either intentional or unintentional. It is extremely, extremely broad," explains Alex Vaystikh, CTO at SecBI Ltd. 

Somehow, the hackers are ahead of the game. Variants of CoinHive appear in Google Play Store apps, and hackers have programmed the plugin to keep running even after a user closes the offending tab. Hackers also don’t need special technical skills to cryptojack. Cryptojacking kits can be downloaded from the dark web for as little as $30.  

So, what can you do to stop it?

How Do I Know My Device Has Been Hacked?

Aside from the fact that your computer's going exceedingly slow and your electricity bill is scraping the roof, there are certain other clues:

  • Internet commands taking a while to leave — With normal internet traffic, the initial request is short and the response takes longer. In contrast, cryptomining outgoing commands (which in crypto would be the hash) take a while, while the incoming is short. “In Bitcoin mining, I actually upload a little bit more than I download," notes Alex Vaystikh, CTO of SecBI Ltd. "That is something we look for."
  • Suspicious activity: Personal computers will have an easier time detecting this than company computers that deal with thousands of messages a day. Justin Fier is the company director of cyber intelligence and analysis atDarktrace, security vendor that analyzes network traffic to spot potential crypto mining activity. He advises: "If your computer is used to doing XYZ and all of a sudden it starts doing something we've never seen before, it's easy to spot. When it starts happening on thousands of computers, it's even easier to spot."
  • Overheating systems: These could cause CPU or cooling fan failures, file changes on the web server, or changes to the pages themselves. If you want to see what’s really going on under the hood, check your CPU usage by opening yoru resource manager. If all your tabs are closed but CPU usage is still high, it's likely that a malicious miner may be sucking your processing power. Another clue is a sharp spike in your CPU processing when visiting a “regular” site.

How Do I Prevent Crypotjacking, or Respond to a Cryptojacking Attack?

  • Check Task Manager: It may or may not be a bitcoin miner. Task Manager helps you identity the script that is slowing your computer and kill the browser tab running the script. Consider deploying anti-crypto mining tools to help prevent future attacks.
  • Turn off JavaScript: Since cryptojacking comes from plugins that use Java script, that’s a guaranteed way to not only shelter your device from infections but also to stop the malware in its tracks.
  • Install browser extensions: Since cryptojacking scripts are often delivered through web ads, installing an ad blocker can be an effective means of stopping them. Munsch recommends minerBlock and NoCoin, which does a decent job at blocking CoinHive and its clones. If you’re a company also consider investing in WatchGuard firewall, which looks for malicious behavior like cryptocurrency miners.
  • Learn and adapt: Update your user, helpdesk and IT training so they are better able to identify crypto jacking attempts and respond accordingly. Also stay abreast of crypto jacking trends. Further, keep your web filtering tools up to date. Hackers are becoming savier. Beat them at their game!