About a year ago webminers began to appear on more and more websites. It was popularized by CoinHive and a couple of high-profile scandals revolving around ThePirateBay and Showtime and, in the span of a year, it has evolved into the most common consequence a compromised site suffers- a webminer injection, or “cryptojacking”.
Last year when the trend began to rise in popularity we made a decision to block webminers in Trustwave Secure Web Gateway, and over the year we’ve seen malicious uses of webminers heavily outweigh legitimate uses. This blog post won’t go into why this happened, a talk given by Jérôme Segura at the VB2018 conference covered it well.
Instead, we will look at the data we’ve collected over the year (about 30,000 URLs between August 2017 and October 2018) from SWG machines around the world and see what these webminers have been up to.
Before we get into numbers and statistics, let’s point out a couple of less technical trends related to webminers:
- There are more of them now- What started at the time with just CoinHive has become an assortment of webminer offerings, many of them still waving the “replacement for advertising” banner while others are blatantly aimed at criminal use.
Then there are those who do a little bit of both. Here’s a quote from one such miner:
Note that the miner itself makes no effort to enforce any responsible web browser mining.
- Many miners are investing in evasion and obfuscation: In the beginning, it was simple to see a miner embedded within a page, both because the code was loaded from the miner’s domain, and also because its intentions were as clear as plain-text. These days many miners are loaded from rapidly-changing domains and are heavily obfuscated in order to evade security products. This is a behavioral trend we’ve seen with most malicious web content over the years.
With all of that in mind, let’s look at some numbers.
Web Miner Statistics
The first question we had was the distribution of geo-locations, which countries were most affected by webminers?
First, we looked at the geo-location of the affect servers:
Figure 1: Top countries hosting servers with web miners
We can see that the majority of sites were in the US, and the rest is a fairly even distribution around various European countries, with some outliers here and there.
Next, we looked at the geo-locations of the clients visiting these sites:
Figure 2: Top countries with clients accessing webminers
We can see a correlation between server and client locations, implying that unlike other web malicious activities, where we often see the victims browsing to domains in other countries that they likely never meant to visit, here we see victims visiting sites that they probably DID intend to visit, but most likely they did NOT intend to mine cryptocurrency on behalf of cybercriminals as part of their visit.
Next, we took a look at the different kinds of sites affected by miners:
We were not surprised to see that the "Business" category took a significant slice of the pie when it comes to running webminers. In most cases, these are small to medium-sized businesses where, unlike enterprises, there is no dedicated team of specialized web developers familiar with coding best practices, nor an IT team responsible for website maintenance. This means that these websites often run old versions of common technologies, such as Wordpress, Drupal, Joomla (and all of their plugins), making them easy to compromise with automated tools.
Finally, we took a look the different Webminers we encountered, and the glaringly obvious fact here is that CoinHive still very much rules this market:
Figure 4: CoinHive vs. the World (of Webminers)
Figure 5: Webminers of the World
It seems that CoinImp is the definite runner-up here, with CoinHave and CryptoLoot making their presence known, while the “Other” group here is an assortment of small miners, perhaps new players making their first steps in this world.
One thing can be said for sure- others are certainly trying to find their way into this lucrative new market.
Injected or Intentional, That is the Question
We mentioned at the beginning of this post that looking at a single infection it’s impossible to tell the difference between cryptojacking and “legitimate” web mining, so how did we gather these statistics?
Well, the beauty of statistics is that you don’t have to look at each single infection separately, we looked at our entire collection of webminers with regards to the key they used (i.e. who they are mining the cryptocurrency for) and made the following assumption: If the same key is used in two or more completely unrelated sites, it is most likely an injection. With this assumption in place we were able to identify 68% of the domains we saw using Webminers as definitely injections, for the other 32%- we, unfortunately, don’t know, it could be an injection where we only saw one instance of the same key, an attack spanning over a multitude of keys, or a webminer legitimately put there by the administrator. Either way, use of Webminers is clearly leaning on the side of malicious use.
Within the repeated keys you can also see different campaigns, with some being distinctly more successful than others:
The first key in the graph which repeats 2500~ times is part of campaigns called “Forskolin Spam”, given how dominant it is here, let’s talk about it a little more.
The Forskolin Spam Campaign
The way this campaign played out is that the victim received a link (via email, for example) – this link redirects the victim to the promotion website (the domain name changes dynamically).
We can see in the code that there is a call to a function “whatsoeere”(obfuscated function that performs the redirect) after 1243 milliseconds, this means that the victim machine mines for the attacker (key "D62FA5VsAmwKQpYwUzgd8nnyGhhNPQfj") for 1243 milliseconds and then moves to the promotion website which is typically your average spam promotion that most users would think nothing of.
In conclusion, webmining has certainly become popular over the last year, presenting various degrees of risk to victims, from mere annoyance to actual disruption.
With classic web exploitation we used to always see high numbers in countries where security awareness is low, but since webmining doesn’t require the use of any exploits, it’s showing a strong presence in areas where awareness is considered high, namely North America and Europe.
One thing is for sure- Cybercriminals continue to show adaptation to the general world of technology, as well as diligence in finding the best solution for monetizing a given community.
Trustwave SWG customers are protected against Cryptojacking attacks.