How Your Smart Fridge Might Be Mining Bitcoin for Criminals 新型網(wǎng)絡(luò)犯罪：通過智能冰箱盜取比特幣

羅伯·史蒂文斯 陳偉濟(jì)

Is the web browser on your phone slower than usual？ It could be mining Bitcoin for criminals.

As the popularity of virtual currencies has grown， hackers are focusing on a new type of heist： putting malicious software on peoples’ handsets， TVs and smart fridges that makes them mine for digital money.

So-called crypto-jacking1 attacks have become a growing problem in the cybersecurity industry， affecting both consumers and organizations. Depending on the severity of the attack， victims may notice only a slight drop in processing power， often not enough for them to think it’s a hacking attack. But that can add up to a lot of processing power over a period of months or if， say， a business’s entire network of computers is affected.

“We saw organizations whose monthly electricity bill was increased by hundreds of thousands of dollars，” said Maya Horowitz， Threat Intelligence Group manager for Check Point， a cybersecurity company. Hackers try to use victims’ processing power because that is what’s needed to create—or “mine”—virtual currencies. In virtual currency mining， computers are used to make the complex calculations that verify a running ledger2 of all the transactions in virtual currencies around the world.

Crypto-jacking is not done only by installing malicious software. It can also be done through a web browser. The victim visits a site， which latches onto3 the victim’s computer processing power to mine digital currencies as long as they are on the site. When the victim switches， the mining ends.

Some web sites， including Salon.com， have tried to do it legitimately and been transparent about it. For three months this year， Salon.com removed ads from its sites in exchange for users allowing them to mine virtual currencies.

Industry experts first noted crypto-jacking as a threat in 2017， when virtual currency prices were skyrocketing to record highs.

The price of Bitcoin， the most widely known virtual currency， jumped sixfold from September to almost $20，000 in December before falling back down to under $10，000.

The number of crypto-jacking cases soared from 146，704 worldwide last September to 22.4 million last December， according to antivirus developer Avast. It has only continued to increase， to 93 million in May， it says. The first big case centered on Coinhive， a legitimate business that let web site owners make money by allowing customers to mine virtual currency instead of relying on advertising revenue.

Hackers quickly began to use the service to infect vulnerable sites with miners， most notably YouTube and nearly 50，000 WordPress web sites， according to research conducted by Troy Mursch， a researcher on crypto-jacking.

Mursch says Monero is the most popular virtual currency among cyber-criminals. A report by cybersecurity company Palo Alto Networks estimates that over 5 percent of Monero was mined through crypto-jacking. That is worth almost $150 million and doesn’t count mining that occurs through browsers. In the majority of attacks， hackers infect as many devices as possible， a method experts calls “spray and pray.”

“Basically， everyone with a [computer processing unit] can be targeted by crypto-jacking，” said Ismail Belkacim， a developer of an application that prevents websites from mining virtual currencies.

As a result， some hackers target organizations with large computing power. In what they believe might be the biggest crypto-jacking attack so far， Check Point discovered in February that a hacker had been exploiting a vulnerability in a server that over several months generated over $3 million in Monero.

Crypto-jackers have also recently targeted organizations that use cloud-based services， in which a network of servers is used to process and store data， providing more computing power to companies who haven’t invested in extra hardware.

Abusing this service， crypto-jackers use as much power as the cloud will allow them to， maximizing their gains. For businesses， this results in slower performance and higher energy bills.

Martin Hron， a security researcher at Avast， says that besides the rise in interest in virtual currencies， there are two main reasons for the rise in attacks.

First， crypto-jacking scripts require little skill to implement. Ready-made computer code that automates crypto-mining is easy to find with a Google search， along with tips on the vulnerabilities of devices. Second， crypto-jacking is harder to detect and is more anonymous than other hacks. Unlike ransomware， in which victims have to transfer money to regain access to their computers blocked by hackers， a victim of crypto-jacking might never know their computer is being used to mine currency. And as currency generated by crypto-jacking goes straight into a hacker’s encrypted wallet， the cyber-criminal leaves less of a trail.

Both Apple and Google have started to ban applications that mine virtual currencies on their devices. But Hron， the Avast researcher， warns that the risk is growing as more everyday devices are connected to the Internet—from ovens to home lighting systems—and that these are often the least secure.

Some experts say new techniques like artificial intelligence can help get a faster response to suspicious software.

That’s what Texthelp， an education technology company， used when it was infected with a crypto-jacker， said Martin McKay， the company’s chief technology officer. “The risk was mitigated for all customers within a period of four hours.”

But security researcher Mursch says that these precautions won’t be enough.

“They might reduce the impact，” he says， “But I don’t think we’re going to stop it.”

你手機(jī)上的網(wǎng)頁瀏覽器是否變慢了？它可能正在為犯罪分子開采比特幣呢。

隨著虛擬貨幣越來越受追捧，黑客們開始熱衷于一種新型盜竊：在人們的手機(jī)、電視和智能冰箱上安裝惡意軟件，利用這些設(shè)備開采數(shù)字貨幣。

所謂的加密劫持攻擊已成為網(wǎng)絡(luò)安全行業(yè)日益嚴(yán)重的問題，消費(fèi)者和企業(yè)都遭受到損害。由于攻擊的嚴(yán)重程度不同，受害者或許只注意到設(shè)備處理能力略微下降，通常不足以讓他們想到是黑客攻擊。但幾個月下來，或者說一個企業(yè)的整個計算機(jī)網(wǎng)絡(luò)都受到攻擊，就可能累積占用很多處理能力。

“我們了解到有些企業(yè)每個月的電費(fèi)增加了幾十萬美元。”網(wǎng)絡(luò)安全公司以色列捷邦安全軟件科技有限公司威脅情報組經(jīng)理瑪雅·霍洛維茨說。黑客試圖利用受攻擊設(shè)備的處理能力，因?yàn)閯?chuàng)造或說“開采”虛擬貨幣需要這些處理能力。開采虛擬貨幣時，計算機(jī)用于進(jìn)行復(fù)雜的計算，以核實(shí)全世界所有虛擬貨幣交易的進(jìn)出明細(xì)。

加密劫持除了可以通過安裝惡意軟件完成，還可以通過網(wǎng)頁瀏覽器實(shí)現(xiàn)。受害者訪問某個網(wǎng)站時，只要停留瀏覽，網(wǎng)站就會鎖定劫持受害者計算機(jī)的處理能力用于開采數(shù)字貨幣。受害者不切換，開采不結(jié)束。

包括Salon.com在內(nèi)的一些網(wǎng)站已嘗試讓加密劫持合法化，公開透明地開采。Salon.com今年有三個月去除了網(wǎng)站廣告，以換取用戶允許他們開采虛擬貨幣。

2017年，行業(yè)專家首次指出加密劫持是一種威脅，這一年虛擬貨幣價格飆升，創(chuàng)歷史新高。

虛擬貨幣中最廣為人知的是比特幣，其價格從9月到12月暴漲了6倍，逼近2萬美元，隨后回落至1萬美元以下。

殺毒軟件研發(fā)公司愛維士稱，去年全球加密劫持的案件數(shù)量從9月的14.6704萬起飆升至12月的2240萬起，之后這一數(shù)字還在繼續(xù)增長，5月份已達(dá)9300萬。第一宗大案的焦點(diǎn)是挖礦服務(wù)公司Coinhive，該公司是一家合法企業(yè)，讓網(wǎng)站所有者可以通過允許客戶開采虛擬貨幣來賺錢，而不是依賴廣告收入。

加密劫持研究人員特洛伊·穆爾施的研究顯示，黑客很快開始利用這項(xiàng)服務(wù)入侵存在漏洞的采礦網(wǎng)站，最著名的是優(yōu)兔和博客平臺WordPress近5萬個網(wǎng)站。

穆爾施說，門羅幣是最受網(wǎng)絡(luò)犯罪分子歡迎的虛擬貨幣。網(wǎng)絡(luò)安全公司派拓網(wǎng)絡(luò)的一份報告估計，超過5%的門羅幣是通過加密劫持開采的，價值接近1.5億美元，這還不包括通過瀏覽器所開采的。在大多數(shù)攻擊中，黑客會讓盡可能多的設(shè)備感染病毒，專家稱之為“撒網(wǎng)式”策略。

“基本上，每個擁有[計算機(jī)處理器]的人都可能成為加密劫持的攻擊目標(biāo)。”應(yīng)用程序開發(fā)商伊斯梅爾·貝爾卡辛說，他開發(fā)的應(yīng)用程序可以防止網(wǎng)站開采虛擬貨幣。

后來，有些黑客將目標(biāo)鎖定在擁有強(qiáng)大計算能力的企業(yè)。2月，捷邦發(fā)現(xiàn)，一名黑客利用一個服務(wù)器的漏洞，幾個月內(nèi)開采出價值300多萬美元的門羅幣，這可能是迄今為止最大的加密劫持攻擊。

加密劫持病毒最近還瞄準(zhǔn)了使用云服務(wù)的企業(yè)，云服務(wù)的服務(wù)器群用以處理和存儲數(shù)據(jù)，為沒有購買額外硬件的公司提供更多的計算能力。

加密劫持病毒會濫用這項(xiàng)服務(wù)，在云服務(wù)許可范圍內(nèi)用盡它所提供的計算能力，使自己收益最大化。對于企業(yè)來說，這會導(dǎo)致性能降低而電力成本上升。

愛維士的安全研究員馬丁·赫龍表示，除了人們對虛擬貨幣越來越感興趣之外，攻擊增加還有另外兩個主要原因。

首先，運(yùn)行加密劫持腳本幾乎不需要什么技巧。通過谷歌搜索，很容易找到現(xiàn)成的自動加密開采的計算機(jī)代碼，以及有關(guān)設(shè)備漏洞的提示。其次，加密劫持更難被發(fā)現(xiàn)，而且比其他非法入侵更匿名。受勒索軟件或病毒攻擊的受害者必須交贖金方能重新訪問被黑客封鎖的計算機(jī)，加密劫持與此不同，其受害者可能永遠(yuǎn)都不知道他們的計算機(jī)正被用于開采貨幣。而且，由于加密劫持開采出的貨幣直接進(jìn)入黑客的加密錢包，網(wǎng)絡(luò)犯罪分子留下的痕跡也更少了。

蘋果和谷歌都已開始禁止在其設(shè)備上加裝開采虛擬貨幣的應(yīng)用程序。但愛維士研究員赫龍?zhí)嵝颜f，隨著越來越多的日用設(shè)備連接到互聯(lián)網(wǎng)——從烤箱到家庭照明系統(tǒng)——加密劫持的風(fēng)險越來越大，而且這些設(shè)備常常是最不安全的。

有專家表示，人工智能等新技術(shù)可能有助于對可疑軟件更快做出反應(yīng)。

教育技術(shù)公司Texthelp首席技術(shù)官馬丁·麥凱說，那正是他們公司感染加密劫持病毒時使用的方法，“不到四個小時，所有客戶的風(fēng)險都降低了。”

但安全研究員穆爾施說，這些預(yù)防措施還不夠。

“這些或許能減少影響，”他說，“但我認(rèn)為阻止不了。”□

（譯者為“《英語世界》杯”翻譯大賽獲獎?wù)撸?/p>