Cyber-criminals aren’t stupid. If you find a way to block their code, they’re going to find a way to around your block.
That’s how it’s been for decades in the antivirus business, and this is exactly what’s happening right now on the in-browser cryptocurrency mining (cryptojacking) scene.
This, in turn, has led to diminishing returns for the people deploying these scripts, most of which are illegally added to hacked sites.
Proxy servers help crooks evade detection
The first evasion techniques have been seen in November last year, but are now becoming more popular among cryptojacking groups.
The most popular and widespread of these techniques is to deploy a “cryptojacking proxy server,” such as the CoinHive Stratum Mining Proxy, available on GitHub.
These proxy servers come with two advantages for cryptojacking actors. The first is that they allow crooks to host cryptojacking scripts on their own domains, and avoid loading it from the domain of the cryptojacking service (Coinhive, CryptoLoot, DeepMiner. etc.), which are detected by all anti-cryptojacking solutions.
Second, the proxy also allows crooks to use custom mining pools, which in turn allows them to detach the mining process from the cryptojacking service itself, and keep all the mined Monero without having to pay any fee to Coinhive or any of the other services.
In the long run, as these proxy systems become more popular, this will mean that many solutions —like ad blockers and dedicated browser extesnions— that rely on domain blacklists will soon become outdated and inefficient at blocking in-browser mining. At that point, users will only be able to tell when a cryptojacking script is present in their browser based on a high CPU usage counter only.