Comment
Author: Admin | 2025-04-28
Cryptojacking Analysis NotebookCryptojacking is defined as the unauthorized use of a user's computer or mobile device to mine cryptocurrency.More and more websites are using browser-based cryptojacking scripts as cryptocurrencies rise in popularity. It is an easy way to make revenue and a viable alternative to bloating a website with advertising.The most popular (original) script is a JavaScript-based Monero miner that comes from CoinHive. American TV network Showtime sites, PirateBay, Politifact, Cristiano Ronaldo's personal website and the Ultimate Fighting Championship’s pay-per-view site are among some of the more notable websites that have experimented with usage of CoinHive mining scripts [1]. In 2017, cryptojacking scripts were found on 2496 e-commerce stores; some plainly visible, and others stealthily hidden in an iframe [2].Adguard reported in November 2017 that in-browser cryptojacking had a growth rate of 31%; other research from November 2017 found 33,000 websites running crypto mining scripts, with a billion combined monthly visitors [3]. Site owners may not even know that their site is infected, as a hacker may inject the script without the site owner's knowledge.Many are touting adoption of cryptojacking as a positive thing, because users may tolerate giving up some CPU processing resources and enduring slower computer performance to avoid being bombarded with ads [4]. Although cryptojacking is a rising security threat, it is not considered illegal as no damage is done to victims' computers or data, no code is stored on the victims’ computers, and scripts stop executing when the user closes the browser tab running the script [1].CoinHive is attempting to legitimize cryptojacking by offering a version of the script called AuthedMine, which only runs if users give explicit permission (in order to avoid facing regular ads) [1]. Malwarebytes researchers have found that AuthedMine is barely used, though CoinHive has disputed this, saying that ~35% of their clients use AuthedMine. Most script blockers also include AuthedMine in their blocklists [5].There are ways to prevent cryptojacking:Use anti-mining browser extensionsUse script blockers - Mozilla has one called NoScript.Read [1] and [3] for more details.The purpose of this notebook is to investigate the prevalence of cryptojacking by analysing script calls obtained from a web crawl of Alexa's top 10K sites in November 2017.Detection algorithm: for each script call, check if any of cryptojacking hosts are pattern matched to script names in script tags.The list of potential cryptojacking hosts (212 sites total) was obtained from the adblock-nocoin-list GitHub repo.Aspects of analysis:How many script calls were detected with cryptojacking?How many unique domains used cryptojacking scripts?Which domains were the "worst" in terms of number of scripts used?How many of the 212 cryptojacking hosts were used?Which cryptojacking scripts were used the most?The findings will potentially inspire future research and analysis on cryptojacking usage, and influence blocking lists implemented by browsers such as Mozilla Firefox.Sources:[1] https://www.makeuseof.com/tag/what-is-cryptojacking/[2] https://gwillem.gitlab.io/2017/11/07/cryptojacking-found-on-2496-stores/[3] https://www.csoonline.com/article/3253572/internet/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html[4] https://www.wired.com/story/cryptojacking-cryptocurrency-mining-browser/[5] https://www.theregister.co.uk/2018/02/27/ethical_coinhive/Results: SummaryLess than 0.02% of script calls are detected with cryptojacking.However, it is important to note that cryptojacking code can be executed in other ways than by including the host .js script in a script tag.
Add Comment