The information below was sent to the IT Security Community and Frontline Notify (FLN) groups via email on June 12, 2018.
Please help us remind the university community that cryptocurrency mining (outside of faculty-approved research and coursework) is a violation of U-M policy, potentially illegal, and an inappropriate use of university resources.
What Is Cryptocurrency Mining?
- Cryptocurrency mining is the distributed process of validating digital currency transactions and adding them to a public ledger/record for the currency (the blockchain) in pursuit of transaction fees and additional digital currency.
- The mining process is computationally intensive and can use significant and costly amounts of computing time and electricity.
- Misappropriation of resources for cryptocurrency mining has displaced ransomware as the number one cyber security threat, according to industry experts (Forbes, 3/4/18).
Using U-M Resources for Cryptocurrency Mining Violates University Policy
Cryptocurrency mining is a violation of university policy. According to Responsible Use of Information Resources (SPG 601.07), U-M resources may not be used "for personal commercial purposes or for personal financial or other gain." The Statement of Student Rights and Responsibilities states that students must abide by university computer policies.
Members of the U-M community are prohibited from using university resources (including computing equipment, network services, and electricity) for cryptocurrency mining activities outside of faculty-approved research and coursework. This use is essentially theft.
Malware Can Co-Opt Websites and Computers for Mining
Theft of computing resources for cryptocurrency mining is a worldwide problem. Attackers use phishing techniques to trick victims into clicking links that load cryptocurrency mining code on their computers or infect websites with malicious code. The only sign of this victims may notice is a slowing of their computer's performance.
Mining Puts U-M Data and Systems at Risk
- Slows performance for legitimate users.
- Can leave openings for attackers to exploit.
- Increases electricity and computing costs.
- Ties up IT staff who must troubleshoot performance issues.
- Do not use university resources for cryptocurrency mining.
- If you suspect unauthorized use of university resources for cryptocurrency mining, report it as a suspected security incident.
- Protect yourself against unauthorized use of your own computer by following IT security best practices: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.
- Apple just banned cryptocurrency mining on iOS devices (Ars Technica, 6/11/18)
- What is cryptojacking? How to prevent, detect, and recover from it (CSO, 5/25/18)
- How to detect and prevent crypto mining malware (CSO, 4/4/18)
- Cryptomining: the new lottery for cybercriminals (CSO, 3/14/18)
- Understanding How Bitcoin Mining Poses Security Risks (MacAfee, 3/11/18)
- Top Cyberthreat Of 2018: Illicit Cryptomining (Forbes, 3/4/18)
- Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions (Talos, 1/31/18)
- Cryptocurrency Mining (Stanford University IT Newsroom, 1/4/18)
- Bitcoin Mining Definition (Investopedia)
- Are your favorite websites mining Bitcoin? Here's how to find out (C|Net, 2/16/2018)
- How to tell if your computer is secretly mining cryptocurrency, and what to do about it (Quartz, 9/24/17)