It has been discovered on sites such as the Piratebay, CBS ShowTime and a number of other streaming websites. Some of these are been done by the actual webmasters themselves while others are exploiting vulnerabilities in well-known websites in order to make money with them in an elicit fashion.
This is not the first time that miners have used malware to mine crytpocurrency from unsuspecting users. It was recently discovered by Kaspersky security labs that hackers had spread windows exploits that mined Monero on a user’s PC in the background.
What is Coinhive?
Although many may look at it as a potentially malicious script, it does have legitimate users and was developed explicitly for that purpose. Instead of these sites having to rely on advertising revenue that could hamper user experience, Coinhive allows the users to contribute to the site through processing power.
For example, the Pirate bay which is a large torrent site, made use of the miner in a test session. This was unfortunately short lived as many users complained about their browsers being used for the benefit of the webmaster. This seemed to have got the ball rolling though.
Next came the news the CBS Showtime brand’s website had the curious miner embedded in its code. This was quite suspicious as many people believed CBS would not have implemented this as it would hamper user experience. However, the SetThrottle in the code on ShowTime was set at 0.97 which implies that it only mines 3% of the time. This is not the usual MO of a cyber-criminal.
Using Coinhive on a site can indeed be quite a profitable venture. For example, a recent analysis has concluded that a site with the traffic such as Pirate Bay is likely to make about 12k a month from the mining.
Yet, any innovation no matter the intent could eventually be used for the benefit of cyber criminals and this is exactly what happened in this case as the code spread to all corners of the hacking community.
As hackers have realised the potential of the miner, so has it cropped up in a number of other locations. For example, it has been located in the source code of a chrome plugin. This would allow the hackers to mine from the users every time they are using their chrome browser.
Hackers have also used chameleon domains in order to trick the users. For example, they would register a domain such as facebooc.com or the like which looks like the original site. Once users enter this domain they are taking to the fake site which runs the script. Of course, this is only for a short period of time as the user will eventually bounce.
However, if the hacker was to create a number of different chameleon domains like this then they are likely to be able to mine a large amount of Monero across a range of different sites.
Of course, why should a hacker create their own domain when they can merely hack existing websites with a great deal of traffic. This has happened as reports by Sucuri.net have discovered sites with the popular WordPress and Magento CMSs that have been hacked and the code inserted.
How to Avoid it
There are also a number of browser plugins that have been developed solely for the purpose of blocking the miners. These include such plugins as MinerBlock and Antiminer.
The Subtle Threat
Although the cybercrime that makes the headlines are the ones that tend to scare, they are sometimes less effective as those that attempt to go under the radar. This is exactly what malware mining scripts are designed to do.
Moreover, because they go unnoticed for a relatively long period of time, people do not report them and hence remove them. This means more profit for the miner. Even though coinhive was developed as an alternative method for site fundraising, it has been exploited.
As a user, if you are able to install the right preventative measures on your browser then you are likely to counter the threat (at least for now).
Featured Image via Fotolia