Who’s mining their coin in your customer’s browser?
The increasing interest in cryptocurrencies as investment instruments has not gone amiss with cyber criminals. They have always been interested in monetisation potential of cryptocurrencies beyond just being a payment instrument in extortion schemes. Rapidly challenging ransomware as the most prolific type of malware, cryptocurrency miners are all over the news. Being in many ways similar to “traditional” types of malware, methods of defence against the traditional kind closely mirror those we are already used to.
With today’s complex, dynamic web sites, no site developer writes all the code of their service by themselves. Instead, the pages are built from dozens of components and libraries linked from all over the Internet. The benefits of linking the libraries – as opposed to copying – are many, including significant performance and bandwidth cost benefits when using a Content Delivery Network (CDN) to serve these components from the network edge.
The nasty aspect of this is that without the proper precautions in place, there is no easy way for the site owner to detect this type of a problem. The offending script never touches the servers of the site owner. Protection therefore has to be deployed at the end-user’s browser - a daunting task, by initial reconing.
Now for the good news: there are solutions, and they are part of standard functionality of all modern web browsers. The downside is that it requires some work beyond just installing protective software. The two readily available solutions against this type of an attack are called SubResource Integrity (SRI) and Content Security Policies (CSP).
SRI, the more complete solution, works on the basis of pre-computed unique signatures for each linked resource. The browser then compares these signatures with the actual resource served from CDN. If there is a mismatch, the browser refuses to render the offending resource. While highly effective against most supply chain type attacks, SRI assumes the resources to be immutable; every time a resource is updated to a new version, the signature has to be updated too.
While completely manageable using automated deployment systems, this model does not retrofit easily to many existing websites. For these, CSP offers a more flexible and only marginally less secure option. The way CSP works against this type of an attack, is it pre-defines all allowed origins for linked resources. If a compromised legitimate library attempts to load an additional resource, such as a mining script, this creates a mismatch and the resource again gets rejected by the browser.
CSP also protects against many other types of web-borne threats, so any site administrator should seriously consider adding it to their bag of tricks to protect the user experience.
Looking to secure your web applications? Download our practical guide to get insight about best practices.