How can cryptojacking attacks in Chrome be stopped?

With cryptojacking attacks becoming more common, Google took aggressive action by banning all cryptomining extensions for Chrome. Why did Google take this action and how effective will this ban be for curbing cryptojacking?

Cryptomining is the validation of past cryptocurrency transactions, which are added to a public ledger -- known as blockchain -- and isn't inherently fraudulent or prohibited as an activity. In fact, cryptomining is how new cryptocurrency coins are generated and is how successful miners get paid.

However, mining is very resource-intensive and beyond the realm of the average user's desktop. One way to overcome this problem is to harness the computing power of thousands of devices; there are various cryptomining plug-ins and scripts that load along with a website and use any visitors' CPU cycles, allowing users to participate in a joint effort to mine various cryptocurrencies. Chrome Web Store policy has permitted cryptocurrency mining in extensions as long as it has been the single purpose of the extension and the user was adequately informed about the mining behavior.

Any user who installs a browser plug-in should be informed of -- and approve of -- any permissions the plug-in requires in order for it to work. However, Google has found that 90% of all the extensions with mining scripts that developers have attempted to upload to the Chrome Web Store fail to comply with these policies, embedding hidden cryptocurrency mining scripts in extensions that appear to provide some useful functionality, but that run in the background without the user's knowledge or consent.

Chrome Web Store policy has permitted cryptocurrency mining in extensions as long as it has been the single purpose of the extension and the user was adequately informed about the mining behavior.

For example, hackers compromised a plug-in called Browsealoud -- typically used by blind or visually impaired people to access webpages -- to mine cryptocurrency. Cryptojacking attacks have also found their way onto a restricted supercomputer in Russia and into critical infrastructure systems and industrial controllers, potentially endangering vital services and systems.

While cryptojacking plug-ins have been either rejected or removed from the store, Google stopped accepting extensions that mine cryptocurrency in the Chrome Web Store in April, with existing extensions scheduled to be delisted in late June.

Google already updated its restricted financial products policy to restrict digital currency-related ads starting in June, but the problem that has prompted this decision is that mining scripts consume significant CPU resources and can severely impact system performance and power consumption. CPU overutilization can potentially slow down legitimate programs while overheating can result in heat damage or system failure.

Google's new policy will certainly keep the plug-ins developed by less skilled hackers from disrupting end users, but attackers are always looking for ways to conceal an extension's true purpose until it has been approved by the Chrome Web Store. Thankfully, other browsers, such as Opera 50 and antimalware tools, are also joining the drive to block unwanted cryptocurrency mining scripts, making it harder for cybercriminals to reach a critical mass of devices they can abuse.

Likewise, the craze for cryptojacking attacks may wear off as -- according to estimates provided by Coinhive -- even at-scale, in-browser cryptomining isn't profitable. For example, if one million visitors spent five minutes on a website, it would result in a total of $64 of the Monero cryptocurrency being mined. Also, the 5,000 U.K. government machines that were recently infected using Coinhive netted a paltry $24 in Monero.

Users who think their device may be mining without their permission should check to see if their browser is consuming unusually high amounts of CPU or GPU processing power. Users can also navigate to chrome://extensions/ to review all of their installed extensions.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)