In-Browser Cryptojacking Is Getting Harder to Detect

[LASER_oneXM]

Cyber-criminals aren't stupid. If you find a way to block their code, they're going to find a way to around your block.

That's how it's been for decades in the antivirus business, and this is exactly what's happening right now on the in-browser cryptocurrency mining (cryptojacking) scene.

After becoming the hottest malware trend at the end of last year, several solutions have now appeared that are capable of detecting and blocking cryptojacking scripts. Antivirus software, ad blockers, and dedicated browser extensions are can now block browsers from loading JavaScript code from domains associated with cryptojacking services.

This, in turn, has led to diminishing returns for the people deploying these scripts, most of which are illegally added to hacked sites.

Proxy servers help crooks evade detection
The first evasion techniques have been seen in November last year, but are now becoming more popular among cryptojacking groups.

The most popular and widespread of these techniques is to deploy a "cryptojacking proxy server," such as the CoinHive Stratum Mining Proxy, available on GitHub.

In the long run, as these proxy systems become more popular, this will mean that many solutions —like ad blockers and dedicated browser extesnions— that rely on domain blacklists will soon become outdated and inefficient at blocking in-browser mining. At that point, users will only be able to tell when a cryptojacking script is present in their browser based on a high CPU usage counter only.