While cryptocurrency mining has been a thing for years and is the primary and only method through which new cryptocurrencies are generated, mining was usually done via special hardware rigs or custom software installed on users' computers.
Generating cryptocurrency via these two methods has been usually pretty hard, especially for malware authors, as it required tricking users into install malware or hacking countless of servers across the web.
Check Point's May most wanted malware list. Cryptojackers and adware galore. pic.twitter.com/VSaU8c3Y1J— Catalin Cimpanu (@campuscodi) June 7, 2018
But despite its broad use, cryptojacking scripts is primarily a problem on the web, where users are bound to stumble upon one or more website or malicious browser extension that secretly tries to take advantage of their PCs' computational power.
"Cryptojacking scams have continued to evolve, and they don’t even need you to install anything," the FTC said today in a statement.
"Scammers can use malicious code embedded in a website or an ad to infect your device. Then they can help themselves to your device’s processor without you even knowing.
"You might make an unlucky visit to a website that uses cryptojacking code, click a link in a phishing email, or mistype a web address. Any of those could lead to cryptojacking," the FTC added. "While the scammer cashes out, your device may slow down, burn through battery power, or crash."
Today's FTC announcement is ground-breaking. This is the first official signal from US authorities that cryptojacking is an illegal practice, especially when done without the user's consent.
"It's a truly historic moment," Troy Mursch, a security researcher specialized in finding cryptojacking campaigns and the co-author of the first scientific paper on cryptojacking, told Bleeping Computer today in a private conversation.
"It's the first time a US government organization has mentioned the word cryptojacking," Mursch added. "It's good to see them finally taking issues seriously and publishing that advisory."
"It will definitely help raise awareness on the issue, especially now that we've seen many governments and educational institutions affected in recent cryptojacking campaigns [1, 2]," Mursch said, he being the one who discovered both campaigns in the first place.
The FTC is now asking users who think they are/were the subject of illegal cryptojacking while visiting online websites to file an official grievance with the Agency via its regular complaints page located at ftc.gov/complaint.
"The individual user reports to the FTC I think will be helpful for the Agency to gauge the scope of the issue and hear from consumers that are affected," Mursch said.
This is not the FTC's first rodeo in regards to illegal cryptocurrency mining operations. While not targeting in-browser (website-based) cryptocurrency mining, the FTC had taken action against illegal cryptocurrency mining in the past, twice —both times in 2015 [1, 2].
Besides enticing users to file official complaints, the FTC has also provided the following advice for dealing with in-browser cryptocurrency threats.
Besides the FTC's advice for using antivirus products and ad blocker browser extensions to block websites with hidden cryptojacking scripts, we also want to add on this list No Coin (a Chrome/Firefox/Opera browser extension dedicated to blocking cryptojacking scripts exclusively) and ZeroDot1's CoinBlockerLists (the biggest and most complete list of cryptojacking-related domains that can be imported into many ad blocker extensions and DNS blacklist apps).
Bleeping Computer has also published a tutorial on how to spot cryptojacking using Chrome's Task Manager.