We have started to notice WordPress websites being injected with cryptocurrency miners as a malware attack. Is this the new preferred attack method?
We have now had several inquiries from people running WordPress websites who’s customers have been reporting that the website has been running very slowly.
After investigating we concluded that their website had been subjected to a malware attack and a cryptocurrency miner had been installed throughout the site.
The miner started to run in a users browser tab whenever an infected web page was loaded.
The more infected tabs that were open, the more resources the miner used from the users computer, ultimately slowing everything down.
What is a cryptocurrency?
You have probably heard of Bitcoin. It’s the digital currency that’s traded online without the need for banks to get involved. Bitcoin was the first cryptocurrency to be widely adopted but there are others such as Monero, Ethereum and Litecoin to name just a few.
Transactions are completed directly between user’s computers (peer-to-peer) cutting out third-party brokers such as banks. Individual “coins” or units of each currency are derived from something called a “blockchain” or an on-line digital ledger through a process called mining.
What is a miner?
Cryptocurrency mining is a very computer process intensive record keeping service for the blockchain.
Miners keep the blockchain consistent, complete, and unalterable by repeatedly verifying and collecting newly broadcast transactions into a new group of transactions called a block.
As a reward, the user who’s computer resources are performing the mining receives a very very small percentage of a currency unit that the blockchain is keeping a record of.
If you’re new to all this then there’s a lot of terminology to take in and it can all be a bit overwhelming at first!
If you are one individual mining for currency using your own desktop PC then you’re not going to get rich over night.
The blockchain and mining technologies are built so as to make it more difficult to mine for currency, the more currency is mined.
Any currency rewarded to the person owning the mining process is paid into a secure digital wallet.
It should be noted that blockchain transactions are transparent but anonymity behind who owns those transactions and hence who owns the currency is not so it is virtually impossible to know who owns the wallet.
To make a profit mining you need to control a lot of computers (think tens of thousands) and that leads us neatly to the next point.
Why attack WordPress sites?
WordPress controls over 28.9% of the internet who’s content management system are known.
Considering that a large percentage of those sites are using out-of-date WordPress core versions which have known exploits, makes it’s a huge target for any would-be attackers.
Over the years we’ve seen WordPress sites being attacked for inserting spam links, sending out malicious emails and more recently by installing ransomware and extorting the website user into purchasing a decryption key to unlock the encrypted website files.
This new cryptocurrency mining malware attack is just another tool in the hackers war chest.
How do attackers make their money from cryptocurrency mining malware?
As mentioned above, you need thousands of computer running mining software against a blockchain before you’re going to see any usable reward for the effort.
The miner runs when a user opens an affected websites page in a tab on their browser and the combined effort sends the rewards back to the owner of the embedded malware miner.
It differs from other cryptocurrencies such as Bitcoin as by not giving any advantages to specialized computers running large GPUs which process more data.
Now imagine that you have a big website with 10,000’s of people visiting it each day. That’s going to increase your % of reward at your visitors expense.
It should be clear to imagine that if attackers can infect thousands of vulnerable sites running older version of WordPress that the numbers can add up to a reasonable profit for them without much effort on their part.
The research team at Checkpoint looked at profit potential for an attacker embedding such Monero mining malware. Their conclusion was that if an attacker were to infect sites such as to average 1,000 concurrent users across all of them, it would generate $2,398 in monthly revenue.
That’s a lucrative profit so it’s not unreasonable to hypothesize that we’re going to see more of these types of attacks against WordPress sites in the future.
How to check if your site is affected and clear up?
There are two services that we would recommend using.
If you think your site has been infected with cryptocurrency mining malware just now then do a Sucuri scan right away.
For longer-term continual protection against not only cryptocurrency miners but heaps of other vulnerabilities, install the Wordfence firewall plugin. As of November 24th, 2017 their free version will scan for cryptocurrency miners or you can install and upgrade to premium to protect them getting access to your site today.
How to clear the infection?
If you subscribe to Sucuri they will clean up your infected site.
With Wordfence (free edition), it will detect the miner scripts and suggest fixes but ultimately you will have to clean up the mess yourself from backups prior to being infected.
If your site is infected and you don’t know what to do next we offer a full WordPress Security audit and cleaning service to put your mind at ease.
It can be hard to detect if a website you are visiting has a mining script on it other than waiting until your browser and computer grinds to a halt for no known reason.
I recommend that you install a mining blocker add-on for your favorite browser:
Don’t get hacked in the first instance!
Keeping your WordPress website updated and secure is the best defense against this type of threat. Having to clean up an infected site is costly, time consuming and damaging for your on-line brand.
Educate yourself on WordPress security by reading more of our security blog posts.