WTF is Cryptojacking and Why Bank CISOs Should Care

Cryptocurrency Comes With a Whole New Headache for Banks

Cryptocurrency has risen from financial outlier to disruptor with trillions of dollars at stake. Speculation about its legitimacy and educated guesses on its longevity abound. At first, it sounded like a passing fad. But now, even banks are beginning to embrace it, despite its volatility. And it's not just its volatile nature you should worry about these days. One of the biggest headaches — a crypto virus CISOs should keep a keen eye on — is cryptojacking.

What is Cryptojacking?

Cryptojacking is the unauthorized use of other people's devices and resources to mine for cryptocurrency. Motivated to save money and make a profit (we know — hot take), cybercriminals steal resources like electricity and high-powered computing hardware from unsuspecting victims by secretly hijacking their devices.

Imagine there’s a thief who steals an electric car each night when the owner is fast asleep — and then makes a healthy profit ridesharing before plugging the car back into its supercharger without the owner ever knowing.

You get the picture: Cryptojacking isn't designed to damage the software or device in any way; just use its resources. And, because the only evidence that shows up in a cryptojacked device is a slight decrease in performance, the stealthy malware is difficult to detect.

How Does Cryptojacking Work?

Cryptojacking is far too easy to carry out in today's cyber minefield — embedding a malicious link in an email or creating an online ad that loads on a victim's browser will usually do the trick. All wannabe cryptojackers need to do is access a device — or in some cases, many devices — capable of performing the work. Then, the cryptojacker can use the device(s) to mine blocks for the currency's blockchain and reap the rewards for themselves.

Back Up — What Is Cryptocurrency, Exactly?

You've probably already heard of the most famous cryptocurrencies: Bitcoin, Monero, Ethereum. However, the crypto market has grown exponentially since 2009, when it first hit the digital ether. There are now over 9,000 currencies to date. Banks are rushing to meet customer demand for digital shelving space to hold their crypto — but there's still miles of legal tape to dispense before banks can plunge in a la Scrooge McDuck.

Whatever gimmicky name has been slapped on it, all cryptocurrencies are virtual currencies secured by cryptography. In theory, this method of securing crypto makes these currencies impossible to counterfeit or double-spend. Think of it as a serial number system like the ones on dollar bills; only these markers have been etched into the currencies' codes.

One glaring issue with cryptocurrencies — or huge benefit, depending on who you're talking to — is that a central authority does not generally issue them. In other words, they aren't managed by any official government, nor are they afforded the kind of tracking and other protections placed on federal currencies.

Instead, these currencies rely on blockchains, which are updated every time a transaction is made. These transactions are processed and validated by "miners," who essentially verify "blocks" in the crypto ledger. Miners are often rewarded in cryptocurrency for their work.

What Does This Mean for Bank CISOs?

Some banks have opted to accommodate cryptocurrency to remain relevant and competitive in this new financial cyberscape. However necessary, this accommodation comes with significant privacy risks.

Cybercriminals are known to hijack anything that helps reduce mining costs on their end — even enterprise-level cloud-based applications. If a bank uses a cloud-based service (which is difficult not to do these days), it's susceptible to hijacking.

That bank's customers would then be at risk for infection of malware. In one fell swoop, a hacker could access thousands of customers' devices in a single day by infecting the bank's login page with cryptojacking code.

What Can Bank CISOs Do to Guard Against Cryptojacking?

Watch for telltale signs of cryptojacking malware in your network and devices, preferably using an automated alert system where applicable, and plan ahead for dealing with cryptojackers.

Know the warning signs. Watch for decreases in device performance, overheating, or increases in CPU and GPU usage.
Leverage tools to help you keep an eye on things. Use automated alerts to catch any unwanted code pushed to internal and external websites — and stay updated on the latest cryptojacking trends.
Take preventative measures.

Train and educate your staff on cybersecurity best practices, use anti-cryptomining extensions and ad blockers on your browsers, and disable JavaScript.

The digital threatscape’s reach is endless, forcing organizations to change and adapt constantly. New commodities like cryptocurrency, with roots in a decentralized economy, have quickly become a hacker’s cyberdream. Cybercriminals will exploit any weakness they find and use it for their own gain — and crypto is full of loopholes and opportunities. When it comes to cybercrime and digital self-defense, prevention and detection are critical to protecting your resources.