The alarming rate of crypto-jacking attacks ravaging the internet has been a cause of worry as the trend keeps gaining momentum. Two months ago, over 170,000 computers were surreptitiously used in manufacturing malware scripts in Brazil, with another report indicating a similar trend in Moldova where 25,000 MikroTik routers were used in running CoinHive scripts. Trustwave researcher, Troy Mursch has attempted to draw a parallel between these two attacks but it is unknown whether they were actually connected. The latest attack was witnessed in India, where almost 30,000 MikroTik routers have been infected with CoinHive according to report released via Banbreach’s twitter handle.
India has become a vulnerable target with the number of compromised computers doubling since the past month. The rate of crypto-jacking infection in India’s top three cities has stupendously grown by 500%, the report explained. Routers which have already been used in mining Monero on every page passing through networks are negligently distributed by unsuspecting internet service providers, and this makes the problem more complicated.
“I found (CoinHive) in the router provided by my ISP a couple of days ago” a security enthusiast from Mumbai tweeted. “Probably all the routers used by them are infected and outdated.”
Earlier last month, research from Indian based cyber-security analyst Indrajeet Bhuyan reportedly pointed at widely trusted government websites as the primary targets of crypto attacks in India.
“Hacker target government website for mining cryptocurrency because those websites get high traffic and most people trust them. Earlier, we saw a lot of government website getting defaced (hacked). Now, injecting crypto jackers is fashionable as the hacker can make money.”
CoinHive: The Crypto-jackers’ Favorite Tool
The modified version of CoinHive mining protocol has been the main malware used by hackers. As a natural piece of code, it enables browsers to mine crypto particularly the anonymity focused altcoin Monero.
CoinHive has often been put into practical use by charities that see it as a tool for raising funds indirectly. On the other hand, the internet demons are exploiting it as a tool for illegal tapping the computer power of oblivious users to mine cryptocurrency for their own self-gain. It becomes more worrisome knowing well that this negative trend is now being consolidated as hackers intensify effort to share the latest versions of their modified malware in the quest to spread within the shortest possible time.
According to data collated and shared by McAfee Labs, over two and a half million different versions of crypto jacking malware mostly related to CoinHive have been issued in the past three months.
The Success of Crypto-jacking in non-metro Areas
Poised to understand the concentration of internet traffic much better, malware tracing groups among which are Banbreach and Bad Packets Reports have employed the use of powerful search engines to map and detect internet traffic. The tools work by tracking IPs from routers to determine their location. The mapping of the internet traffic is made possible as some of the publicly available data often relates to the source location.
Unlike typical services like Google which is only capable of displaying the website, the tool used helps to divide the attacks into three defined tiers. In breaking down the traffic density, there is the area with the densest traffic, metropolitan areas, and the increasingly remote areas.
While analyzing the result, Banbreach noted the low cyber security awareness in the non-metro areas of India. The potential capacity of all machines used in running CoinHive scripts can generate more than $259,000 worth of Monero every month. Suffice it to say that not all of it is generated from crypto-jacking, but the figures attest to the lucrativeness of the exploitative means which hackers are used to. MikroTik routers are the most exploited routers out there, and this could be due to its perceived vulnerabilities. It is advisable for consumers using this brand to refer to the manufacturer for an official patch or contact their official internet service provider.