If you follow stories about digital security, it’s easy to get the idea that most malware works because people are gullible and easy to manipulate.
If we’re not clicking dodgy links, we’re refusing to stop using the same easy-guess password for everything. In 2017, a survey of leaked data revealed the most common passwords still in use; no prizes for guessing what they were.
(Yep: 123456 and password topped the list. Again.)
Thing is, this narrative can conceal the fact that you don’t have to be a rube to pick up some dodgy code online and import it into your organization’s network or your home computer.
One of the most headline-grabbing forms this has taken recently has been the use of website code injections to spread blockchain mining code to visitors’ computers.
Code injections 101
Let me translate that into English for non-tech readers:
That means a code injection attack can turn a normal, safe website into a malware outbreak – and you don’t have to do anything wrong to be affected.
Why steal CPU time? Bitcoin
The reason you’d want to do this for a cryptocurrency is actually pretty simple: cryptocurrencies rely on ‘proof of work’ to function. It takes a certain number of CPU cycles to create each Bitcoin – a good example, since Iceland now uses more energy to mine Bitcoin than to heat homes.
This means that to create Bitcoins – each one worth around $11,000, so it’s worth a try – you need as many CPU cycles as possible. So, why not use someone else’s?
(Because it’s wrong. And illegal. But supposing you don’t care about that? No reason in the world.)
Heimdal Security identified a server associated with this activity, which was hosting websites that were spreading malicious code. The code was both stealing CPU time (basically, clogging up the computer’s ‘brain’) to mine Bitcoin, and stealing information from Bitcoin wallets if they were present.
So what can you do to protect yourself?
Protect against code injections
It starts with real-time web protection – get a serious antivirus and set it to real time and to scan daily. It makes good sense to backup daily too. A restore from a clean backup point is the easiest and most complete way to get clear of a malware attack.
If one does happen, stop using the affected computer, restore from a clean backup, then scan, and finally change your passwords.
Right now, that’s the best you can do to defend yourself against these specific threats.
For broader threats against your security and privacy, it’s sensible to reach for anonymity and encryption, which means using a VPN. To learn more about how a VPN can protect you online, check out our VPN functionality explained guide.