Cryptojacking injection: A paradigm shift to cryptocurrency-based web-centric internet attacks

Abstract

ABSTRACTCrypto-mining attacks have emerged as a new generation of web-based attacks which have seen cybercriminals eschew the infamous crypto ransomware. The watering hole attack vector has by far been the most widely employed attack methodology but it faces the task of luring the victim to the infected web resources. However, cryptojacking injection presents a paradigm shift to web-based crypto-mining attacks in that it eliminates the need for a pivotal third-party such as the exploitable web server. Thus, instead of attacking credit card and other private information of e-commerce users, attackers seek to maliciously abuse a victim’s CPU to generate cryptocurrency. In this paper, we investigate and evaluate cryptojacking injection – a state-of-the-art web-centric attack vector in the crypto-mining attacks landscape. We formulate an attack model based on finite state machines which depicts the various breaches of confidentiality, integrity and availability in the web system as the attack progresses. We show how this new attack vector attacks some of the core components of e-commerce (URL, HTTP and HTML) to generate Monero crypto currency from benign web users. We evaluate our modeling approach with a series of experiments with two attack scenarios using different operating systems. Results show that the attack is indeed cross-platform and feasible on any operating system of a browser-capable device. We analyze the generated network traffic during the attack and draw features such as URLs and the parsed files, the associated cryptographic hashes, and the IP addresses of the crypto-mining domains. These, together with host-based features such as exhaustive CPU usage can be used as indicators of compromise and subsequently act as feed into intrusion detection systems.