Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation

Papadopoulos, Panagiotis; Ilia, Panagiotis; Polychronakis, Michalis; Markatos, Evangelos P.; Ioannidis, Sotiris; Vasiliadis, Giorgos

doi:10.14722/ndss.2019.23070

Cited by 16 publications

(18 citation statements)

References 16 publications

(25 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The intuition as to why these features should scale in future is that, even if some implementation details of Web mining scripts change, they still must use some underlying similar Web APIs whose behaviors are less likely to change [33]. Secondly, it is known that the PoW algorithms used by Web miners must be memory-bound to be profitable to mine on commodity devices [10], [14].…”

Section: Why Are These Features Future-proof?mentioning

confidence: 99%

“…Our goal is to evaluate CoinSpy over other players in the cryptomining landscape. Thus, we evaluate CoinSpy against cryptomining players identified by existing works [23], [37], [33]. These miners primarily use CryptoNight [10] and ETHash PoWs [44], but span many cryptocurrency blockchains (Monero, JSECoin, UPlexa).…”

Section: Extending Coinspy To Other Mining Familiesmentioning

confidence: 99%

“…To perform the evaluation, we inject the scripts from each of these miners into the pages from our benchmark data set for evaluation, hence we only evaluate with accuracy. Although researchers have identified 13 popular miners [23], [37], [33] that use CryptoNight, only the five in Table IV are active at the time of performing our experiments. In fact, CoinHive, the largest Web mining player of 2018 [21], [37] has shut down their service as of March 2019, showing the volatility of the environment.…”

Section: Extending Coinspy To Other Mining Familiesmentioning

confidence: 99%

“…The Web is fast becoming a popular platform for cryptocurrency mining [37], [33], a process called "drive-by-mining" or cryptojacking. Cryptojackers exploit resources at the client device when the client is browsing the Web.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Browser-Based Deep Behavioral Detection of Web Cryptomining with CoinSpy

Kelton¹,

Balasubramanian²,

Raghavendra³

et al. 2020

Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

Although the cryptocurrency hype over the past year may be seen by some as a benign social fad, to the Web community it is the center point for a series of ethically dubious ransomware attacks. Browser based cryptomining, or cryptojacking has gained widespread attention. Cryptojacking consists of Web servers delivering cryptocurrency mining scripts to clients, and using the client resources to play part in a distributed coin mining scheme. Although Web server operators defend the ethics of their involvement by quoting mining as a substitute for advertisement revenue, these scripts can hog massive amounts of client-side resources and can be delivered without client consent, presenting a high potential for abuse. Regardless of how ethical these campaigns are, what remains constant is the need for their detection. While there has been an array of work in defending against such cryptojacking campaigns, these defenses remain quite preliminary. We present CoinSpy, an entirely in-browser tool built using deep learning techniques for the detection of cryptomining activity within Web pages. A key challenge is that there is limited visibility into the client resource usage from within the browser sandbox. CoinSpy extracts several signals from information available from the browser and combines them using deep learning to build a powerful cryptojacking classifier. We argue why CoinSpy is the most robust defense against current and future cryptojacking attacks as compared to recent work, and show that it can detect various cryptojacking campaigns with 97% accuracy.

show abstract

Section: Why Are These Features Future-proof?mentioning

confidence: 99%

Section: Extending Coinspy To Other Mining Familiesmentioning

confidence: 99%

Section: Extending Coinspy To Other Mining Familiesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Browser-Based Deep Behavioral Detection of Web Cryptomining with CoinSpy

Kelton¹,

Balasubramanian²,

Raghavendra³

et al. 2020

Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

show abstract

“…Lee et al demonstrated cryptocurrency mining in the background that uses malicious service workers, and mined Monero coins through verified 225K transactions in a day [36]. Moreover, Papadopoulos et al developed a monitoring framework to allow malicious service workers to abuse browser resources and found the following harmful operations: DDoS attacks, distributed password cracking, malicious data hosting, proxies of a hidden network, and cryptocurrency mining [47].…”

Section: B Abusable Browser Resourcesmentioning

confidence: 99%

Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites

Watanabe¹,

Shioji²,

Akiyama³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Intermediary web services such as web proxies, web translators, and web archives have become pervasive as a means to enhance the openness of the web. These services aim to remove the intrinsic obstacles to web access; i.e., access blocking, language barriers, and missing web pages. In this study, we refer to these services as web rehosting services and make the first exploration of their security flaws. The web rehosting services use a single domain name to rehost several websites that have distinct domain names; this characteristic makes web rehosting services intrinsically vulnerable to violating the same origin policy if not operated carefully. Based on the intrinsic vulnerability of web rehosting services, we demonstrate that an attacker can perform five different types of attacks that target users who make use of web rehosting services: persistent man-in-the-middle attack, abusing privileges to access various resources, stealing credentials, stealing browser history, and session hijacking/injection. Our extensive analysis of 21 popular web rehosting services, which have more than 200 million accesses per day, revealed that these attacks are feasible. In response to this observation, we provide effective countermeasures against each type of attack.

show abstract

The Risks of WebGL: Analysis, Evaluation and Detection

Belkin

Gelernter

Cidon

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

WebGL is a browser feature that enables JavaScript-based control of the graphics processing unit (GPU) to render interactive 3D and 2D graphics, without the use of plug-ins. Exploiting WebGL for attacks will affect billions of users since browsers serve as the main interaction mechanism with the world wide web. This paper explores the potential threats derived from the recent move by browsers from WebGL 1.0 to the more powerful WebGL 2.0. We focus on two possible abuses of this feature: distributed password cracking and distributed cryptocurrency mining. Our evaluation of the attacks also includes the practical aspects of successful attacks, such as stealthiness and user-experience. Considering the danger of WebGL abuse, as observed in the experiments, we designed and evaluated a proactive defense. We implemented a Chrome extension that proved itself effective in detecting and blocking WebGL. We demonstrate in our experiments the major improvements of WebGL 2.0 over WebGL 1.0 both in performance and in convenience. Furthermore, our results show that it is possible to use WebGL 2.0 in distributed attacks under real-world conditions. Although WebGL 2.0 shows similar hash rates as CPU-based techniques, WebGL 2.0 proved to be significantly harder to detect and has a lesser effect on user experience.

show abstract

Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation

Cited by 16 publications

References 16 publications

Browser-Based Deep Behavioral Detection of Web Cryptomining with CoinSpy

Browser-Based Deep Behavioral Detection of Web Cryptomining with CoinSpy

Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites

The Risks of WebGL: Analysis, Evaluation and Detection

Contact Info

Product

Resources

About