Cryptojacking for good: Groundbreaking examples
Ideally, it means webmasters can embed such a script in their sites and thus siphon off the processing power of visiting PCs in the background to earn Monero (XMR), Electroneum or other form of cryptocurrency. This is a legit tactic as long as people are properly notified of it.
Just like any popular technology, this one got into the spotlight of cybercriminals and unscrupulous website owners. The dark facet of this process is typically referred to as cryptojacking. It designates the use of site visitors’ CPU or GPU without their knowledge and consent. The important missing link in this scenario is the authorization to harness one’s computing power for someone else’s benefit.
Notorious cryptojacking incidents
One of the most outrageous examples of cryptojacking on a large scale was the case when more than 4,000 websites were stealthily compromised in one hit to join a huge Monero mining pool. This campaign took root in February 2018 and hit quite a few US, UK and Australian government websites, including uscourts.gov, legislation.qld.gov.au, manchester.gov.uk, and nhsinform.scot. The springboard for deploying this attack was a trojanized copy of a browser widget called Texthelp that all of these sites were using.
In another defiant move as of late January 2018, cybercrooks were able to incorporate the Coinhive script into numerous ads displayed to users on YouTube. Given the high-profile service that was exploited, this wave ended up so massive that it caused a threefold increase in malicious web mining detections worldwide.
According to the recent findings of researchers from the University of Toronto, Egypt’s leading telecommunications company Telecom Egypt engaged in covert cryptojacking by leveraging deep packet inspection (DPI) middleboxes. This way, the malicious agents rerouted local users’ online traffic to sites with the Coinhive mining script on board. Later on, a similar scheme was unveiled in Turkey and Syria.
The ethical dilemma
Incidents like that have instigated a great deal of hype and discussion questioning the ethical facet of this issue. Is there an 'equals' sign between in-browser mining and cryptojacking, or is this just another misconception circulating in the crypto community? On the one hand, the former is a promising step toward ad-free Internet. On the other, people need to have the prerogative of choice whether or not to allow mining scripts to run on their machines when they visit a web page.
What makes a difference here is the consent. Some people don’t mind allocating spare computing resources to make their favorite site more competitive, they don’t even care about adware threats, but others simply hate it when their CPU is sweating, whatever the reason might be. Ultimately, in-browsing mining is okay if the users can make an informed decision. Unfortunately, this isn’t always the case.
Benign use of in-browser mining
A few recent initiatives, though, may become a game changer as they have added noble hues to the whole cryptojacking frenzy. One is being undertaken by the United Nations’ UNICEF fund that provides humanitarian help to children living in tough conditions. It has launched a project called TheHopepage that asks site visitors to donate in a very peculiar way. If a user clicks the "Start Donating" button they knowingly opt into dedicating some of their computer’s processing power to mine Monero coins for UNICEF Australia. This idea has had some significant success, with more than 11,000 contributors willing to donate at the time of this writing.
While this mechanism seems like a godsend for charities, it can also play into Coinhive proprietors’ hands by adding some precious points to the karma of their service. There is still a fly in the ointment, though: Coinhive has set a 30 percent pool fee for UNICEF, so they take almost a third of all donations. Meanwhile, it remains to be seen whether the parties negotiate a smaller cut.
Another commendable project called Bail Bloc claims to be a "cryptocurrency scheme against bail." It was launched by The New Inquiry online magazine in collaboration with the Bronx Freedom Fund in November 2017. The mission of human rights activists behind this initiative is to raise funds for thousands of low-income defendants in the United States who cannot afford to pay bail and are therefore held in pretrial detention for months or even years.
Bail Bloc mines Monero and utilizes CPU throttling at 10% by default. This means most users will find the extra load on their processor inconspicuous. With this setting enabled, the average user can generate about $2-3 worth of XMR per month. There is an option to manually toggle CPU impact and raise it to 25 percent or 50 percent.
A bail payment is refunded if a suspect shows up in court, so it can be reused to release someone else. This is a self-sustaining scheme to an extent, and if fueled by more donations it can have a tangible positive effect nationwide.
The initiative called Charity Mine makes one more example of in-browser mining with a praiseworthy motivation at its core. It encourages people to donate for those in need by allowing a mining script to harness their unused processing power. This is doable by opening the miner tab in a browser, or via an extension available for Google Chrome. Importantly, you can create an account with Charity Mine and track how much Monero you have generated and where it goes.
The bottom line
Non-malicious use cases of cryptojacking aren’t restricted to charity alone. Websites can take advantage of it to monetize their traffic while displaying no obnoxious sponsored content to visitors. For instance, the news website Salon.com has adopted a model where users can choose to suppress ads and allow the service to use their spare computing power instead. Ad-free experience may be worth it, some people will argue. Some will say they would rather view advertisements, just to keep their PCs running smooth. Either approach is understandable and has its pros and cons.
To recap, the cryptojacking landscape isn’t all black and white. The perception depends on the way in-browser mining is implemented and the goals that the site owners are trying to achieve.
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.