Drive-By Cryptomining: Another Way Cyber-Criminals Are Trying to Evade Detection

By the end of the last year, we saw a drastic rise in drive-by cryptocurrency mining activities and it is quite alarming to note that cyber-criminals are getting smarter and smarter day-by-day at avoiding detection. Interestingly, cyber-criminals can deploy drive-by cryptocurrency mining to target a much wider audience compared to what they would typically achieve by delivering malware-based miners to machines.

However, drive-by activities have a shorter period of impact, which means that mining activities will be interrupted once a user leaves the malicious website or chooses to close the malicious tab. While this may pose a major constraint for cyber-criminals, they have successfully addressed this shortcoming by using pop-unders, which are frequently used to launch fraudulent ads. Alarmingly, malicious pop-under tabs that have malicious codes embedded in them are launched right under the taskbar, thereby preventing users from even discovering their presence. This means that the mining activities will continue unhindered until the users shut down their systems. To make things worse, cyber-criminals have started masking their codes to prevent detection.

[You might also like: Accessing Your Crypto Wallet Through Android Devices?]

Apart from using pop-unders to facilitate constant mining activities, cyber-criminals have also been discovering innovative ways to continue malicious mining activities for prolonged periods. One of the most pronounced examples is how cyber-criminals are making use of ambushed browser extensions to deliver codes in every web session.

Last year in September, Coinhive was introduced to promote mining of the Monero currency on a web browser. The platform allowed for easy API integration, which contributed to its instant success, but very soon, cyber-criminals used the service to promote malicious mining activities. The platform API was not safeguarded by any security solution so it could be used to launch drive-by mining attacks very easily. What you need to know is that apart from JavaScript, there are additional ways to mine currencies within the browser. In this regard, we can cite the example of a new format called WebAssembly, which is being used to a larger extent mainly because of the fact that the WebAssembly modules can be made to run at a faster speed, which is what makes them a better option than JavaScript.

Stay tuned for Part 5 of our crypto-currency mining series, coming soon!

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

Fabio Palozza

Fabio is Technical Director EMEA-CALA, responsible for Systems Engineering in the theater. With a long experience, he began his career in software development for aerospace systems before getting into IT vendor ecosystem with Bay Networks/Nortel and Juniper Networks, up to being Technical Director EMEA for the Telecom, Cloud and Content businesses. Fabio writes about technology strategy, trends and implementation.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center