Cyren Security Blog

725% increase in cryptocurrency mining threatens more than just your CPU

by Tinna Thuridur Sigurdardottir

We've been tracking cryptocurrency mining activity here at the Cyren Security Lab and have confirmed a massive run-up in the number of web sites hosting "cryptomining" scripts globally. Based on the monitoring of a sample of 500,000 sites, we've found a 725% increase in the number of domains running scripts on one or more pages -- knowingly or not -- in the four-month period from last September to January 2018.

Rate of Growth Accelerating

After a 3x jump in October, the number of new mining sites plateaued in November, but then nearly doubled in December and again in January. So half the total run-up since September was concentrated in the last two months, suggesting the rate of spread of cryptomining is accelerating -- a trend we will continue to monitor. The data tells us that, as of January, 1.4% of web sites in the monitoring sample were running mining scripts.

Given the meteoric rise in cryptocurrency values during the last few months, the jump in activity to produce cryptocurrencies is not surprising. Monero, the main currency used by cryptomining scripts, has increased by almost 250% in value during the same period, stoking interest. Monero bills itself as a “secure, private, and untraceable cryptocurrency,” employing a technology that makes it virtually impossible to track transactions to any individual or IP address -- which explains why it's currently the currency of choice for cryptomining. 

In any event, our findings do confirm everyone's assumptions and quantify the phenomenal spread of mining scripts, which we first wrote about last October (see Malware Goes Currency Mining with Your CPU).

How Do Businesses Protect Themselves

Cryptomining is in its infancy and is expected to continue to grow exponentially. Companies need to address and protect against the threat now, so it's important to have a secure web gateway in place which is capable of detecting miner scripts running in web pages and blocking miner malware. Cyren has developed specific functionality to help understand the magnitude of the problem and protect businesses from it, adding a specific cryptocurrency category to its URL classification system, which is used by both Cyren Web Security and Cyren Email Security. This contains all websites, cloud applications and URLs known to serve cryptocurrency malware or run JavaScript which exploits a user’s computer or device by stealing CPU resources. Such a policy category allows companies to report on and block access to this category by user, group or across the complete organization. 

Cyren blocks Coinhive miners as JS/CoinHive.A!Eldorado and JS/CoinHive.B!Eldorado.

For a primer on the current state of cryptomining as it relates to IT security, register for Cyren's upcoming webinar "The Top 5 Downsides and Dangers of Cryptomining" on April 5th.

Go back