Covert Cryptocurrency Miners Quickly Become A Major Problem
from the lessons-unlearned dept
As websites increasingly struggle to keep the lights on in the age of ad blockers, a growing number of sites have increasingly turned to bitcoin miners like Coinhive. Such miners covertly use visitor CPU cycles to mind cryptocurrency while a user is visiting a website, and actively market themselves as a creative alternative to the traditional advertising model. And while this is certainly a creative revenue generator, these miners are increasingly being foisted upon consumers without informing them or providing an opt out. Given the miners consume user CPU cycles and a modest amount of power — that’s a problem.
The Pirate Bay was forced to disable its bitcoin miner back in September, after users complained it was eating up to 90% of their available CPU cycles. Showtime was similarly caught using a bitcoin miner on two of its domains, and has yet to provide any detail on why it launched the miners or refused to inform visitors they were running. More recently, Trend Micro unveiled that at least two Android apps — downloaded up to 50,000 times from the Google Play store — were covertly putting crypto miners inside a hidden browser window:
Recently, we found that apps with malicious cryptocurrency mining capabilities on Google Play. These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER
[…]
This JavaScript code runs within the app?s webview, but this is not visible to the user because the webview is set to run in invisible mode by default. When the malicious JavaScript code is running, the CPU usage will be exceptionally high.
The explosion in bitcoin miners is both above and below board. There’s indication that the bitcoin miners running on Showtime’s domains were the result of a website hack. More recently, researchers from security firm Sucuri discovered that at least 500 websites running WordPress had been hacked, and that other publishing platforms including Magento, Joomla, and Drupal were also being consistently abused. Reddit users this week documented how Choice Hotels (owner of Comfort Inn) websites have also been compromised with cryptocurrency miners the company itself seems oblivious to.
Political fact-checking website PolitiFact also recently acknowledged it was hacked by intruders who installed bitcoin miners that quickly gobbled up visitors’ CPU cycles without permission:
BREAKING NEWS: #Coinhive found on official @PolitiFact website in latest case of #cryptojacking. pic.twitter.com/czGc5aaug7
— Bad Packets Report (@bad_packets) October 13, 2017
Not too surprisingly, security firms like Malwarebytes have started blocking the miners:
The reason we block Coinhive is because there are site owners who do not ask for their users’ permission to start running CPU-gorging applications on their systems. A regular Bitcoin miner could be incredibly simple or a powerhouse, depending on how much computing the user running the miner wants to use. The JavaScript version of a miner allows customization of how much mining to do, per user system, but leaves that up to the site owner, who may want to slow down your computer experience to a crawl.
And while these tools help some with malicious installs and hacks, plenty of websites still appear to think it’s a good idea to run the miners without notifying users or providing a functioning opt out. Which means there are plenty of folks busy trying to combat the rise of ad blockers — by engaging in the exact same behavior that caused the rise of ad blockers in the first place.
Filed Under: coinhive, cryptocurrency, miners
Comments on “Covert Cryptocurrency Miners Quickly Become A Major Problem”
The problem of people discovering bitcoin miners in web sites should go away shortly.
Mostly because all the major browsers finally support WebAssembly. JavaScript (and C++ and other languages) can now be sent to your browser in compiled form, making it much harder to figure out what they’re doing.
So, yay?
Re: Re:
Are there estimates of how much money can be made here? To simplify, we could assume the scripts will run as fast as a native CPU implementation… which I thought had been considered dead for a long time now, at least for Bitcoin, because there’s little money to be made that way (even with unmetered electricity).
Re: Re: Re:
It would depend on how many people visit the web site.
Imagine Netflix doing this. “Your ISP is limiting your video stream to Standard Definition. It would be a shame to waste all that GPU capability, so we’ll just have the video codec also mine bitcoin while you’re watching. Cheers!”
Re: Re: Re: Re:
If they make Netflix free and commercial free then I might agree with it! I rarely use anything else on my PC while nutflix is running.
Re: Re: Re:2 Re:
You’d be paying with your own computer components’ lifespan, at the very least, though. If these miners take up to 90% of your processing power, you become limited in what else you can do with your machine and wears down your (likely expensive) CPU.
As well, who’s to say Netflix will turn the mining off once you’re done watching?
Re: Re: Re:3 Re:
I can buy a cheap CPU just to watch shows, but if they try to keep mining while I am not watching or mining in a way that disrupts my enjoyment then deal is off.
I don’t think mining coin on peeps CPU is a problem, as long as the users KNOW and have explicitly agreed too and as long as there is a fair exchange of value.
heck, I might let my machine sit and crunch for them if I get fair compensation in return.
In short, as long as all parties know & agree, then its not a problem. What I feel is fair compensation may not be what another feels is fair compensation, but that needs to be their decision.
Re: Re: Re:3 Re:
CPUs are not generally considered to "wear down" with usage, as long as they’re properly cooled. There should be no real effect on lifespan. Even servers used at 100% for years, as in scientific clusters, are retired because more efficient computers come along, not because they’ve worn out.
Re: Re:
Well, that’s disturbing. I suppose it’s only a matter of time until miners are embedded in otherwise-legitimate code served by otherwise-legitimate sites.
Re: Re: Re:
We automatically remove encrypted PDF files from incoming and outgoing email, except for a VERY small whitelist of sources. This because Adobe added JavaScript support to PDF files, making them God’s gift to ransomware criminals.
I expect someone is already looking at embedding JavaScript bitcoin miners in PDF files. Device and app manuals, pirated eBooks, electronic invoices, etc.
Or non-pirated eBooks. Add it to fanfic, put a cheap price on it and upload it to the eBook stores. A reader might have it open for hours, rather than a quick website visit.
I wonder if you could bypass the malware detection in the Apple or Android stores by uploading a perfectly clean app, with the bitcoin miner in the PDF manual.
Re: Re:
Shite. By that description, the code sent by this protocol is probably not auditable in any sense of the word, correct?
Re: Re: Re:
Decompilers exist for many languages. If it can be compiled into bytecode, then it can be decompiled back into something somewhat readable. Though never as readable as the original code.
Since code obfuscators exist for other environments to derail decompile efforts, I expect they’ll quickly be created for WebAssembly.
Re: Re:
What a great idea! Let’s make it even easier for web sites to covertly run code on users’ systems! I’m sure this will never be abused…
"Malicious"
Uh, they’re not doing that out of malice (i.e. a desire to harm their users), they’re doing it out of greed. An infinite loop would be easier and work just as well for malice. This is nonmalicious sociopathy, par for the course on the web (and an opt-out option wouldn’t change this).
Re: "Malicious"
“Malicious”
The Latin root word mal means “bad” or “evil.” This root is the word origin of many English vocabulary words, including malformed, maltreat, and malice. You can recall that mal means “bad” through malfunction, or a “badly” working part, and that it means “evil” through malice, or intentional “evil” done to another.
It’s just bad, m’kay?
Re: Re: "Malicious"
And malice specifically means an intent to do evil or to harm others. I don’t think the people running these scams give a shit about others. They’ve probably even got some justification so as not to consider themselves wrongdoers.
Re: "Malicious"
Greed is malicious
... probably not bitcoin
Bitcoin’s difficulty has long been too high to mine on a CPU or GPU. You essentially need specialized ASIC machines to mine bitcoin; racks of them unless you join a pool
CoinHive’s javascript miner mines monero, which is a wonderful, privacy-centric cryptocurrency — but it is not bitcoin (the original cryptocurrency).
Just a point of clarity. “Bitcoin” is not generic for cryptocurrency; bitcoin is a specific cryptocurrency.
#NoScript
Re: Re:
RIP most Firefox extensions
Re: Re: Re:
In a couple of days, if everything goes fine, and definitely by the end of this week, NoScript 10, the first “pure” WebExtension NoScript version, will be finally released for Firefox 57 and above
https://hackademix.net/2017/11/14/double-noscript/
Re: Re:
#UnusableSite
In all seriousness, way too many companies are designing their websites to be unusable unless Javascript is enabled.
Want to read the article? Enable Javascript so the formatting isn’t screwed up.
Want to see the images in the article? Enable Javascript to see them.
Want to leave a comment on the article? Enable Javascript so the page will display the Facebook commenting system.
NEVER consent to crypo-currency mining on your computer by a website
I can’t believe how many people I’ve seen at sites like reddit saying that these miners might be a good alternate to web ads, it’s like they can’t think ahead a few steps.
For the non-computer literate, here’s why bitcoin mining in place of ads is a bad idea, even with user permission.
We’re not talking about just one site using it. We’re talking about the potential for many of the websites you visit to start using it in place of ads. Even people with top of the line computers will find their computers brought to it’s knees if they have enough websites open running crypto-currency miners.
What’s to stop people from just running crypo-currency miners? This loophole to covertly mine crypo-currency is a GREAT way for a would be hacker to potentially do other malicious things to your computer to. I GUARANTEE you we’ll hear about some nasty virus in the future disguising itself as a mining app.
This is why I immediately added Crypo-currency mining to my block list in uBlock Origin the second I heard of the first story of these miner leeches.
Re: NEVER consent to crypo-currency mining on your computer by a website
Well. Just HOW are you going to prevent the obvious disaster? The sites have powerful incentive to spread this, no legal limitations, billions of knuckleheads going along, and on your side is… what?
“it’s like they can’t think ahead a few steps.” — Wrong! It’s not “like”, it’s THAT, AND WON’T. —
Now, do you rail at Google using javascript to gain money? Why not? Same principle, and why I rail here at Google. But it’s like you can’t think ahead a few steps…
Re: Re: NEVER consent to crypo-currency mining on your computer by a website
But when the RIAA and NSA vacuum up info to sue children, there’s no cock you won’t deepthroat, eh blue boy?
Re: NEVER consent to crypo-currency mining on your computer by a website
And what ever makes them think that mining would only be "instead of" and not wind up "in addition to" ads? Idiots.
Re: NEVER consent to crypo-currency mining on your computer by a website
Still, miners have an advantage over ads: they lack a whole row of middle-men that take their share of the goods (ad brokers, ad creators, etc.)
Both ads and miners have the risk that they will behave like parasites to the host — gobbling up bandwidth, power, and attention. But with miners, I can imagine a future where miners will play nice, use limited resources, and become a kind of micropayment for using the website.
But you don't mind Google mining info bits to track you?
Never allow javascript, maliciously engineered from start, unless absolutely required. Get Noscript — and remove whitelist it comes with, especially Google.
However, since can’t turn off javascript in many browsers now, just admire the infernal ingenuity of your high-tech prison…
Re: But you don't mind Google mining info bits to track you?
k
Re: Re: But you don't mind Google mining info bits to track you?
Re: Re: Re: But you don't mind Google mining info bits to track you?
Best use of time.
Re: Re: Re: But you don't mind Google mining info bits to track you?
What else is there to say to a troll with a Google obsession?
k
Re: Re: Re: But you don't mind Google mining info bits to track you?
Filthy TOR pirate says what?
Re: Re: Re:2 But you don't mind Google mining info bits to track you?
really? tor?
Apparently you’re living in 2016….
You can get entirely de-centralized websites now, where the entire HTML codebase is held on multiple machines.
Tor not required, as to prevent Dcent sites you’d basically need to block 99% of all IP addresses to be sure..
Re: Re: Re:3 But you don't mind Google mining info bits to track you?
This would have a point if not for the fact that out_of_the_blue has readily admitted on multiple occasions to use TOR solely for the purposes of trolling a site he absolutely loathes.
Re: Re: Re: But you don't mind Google mining info bits to track you?
"Why aren’t you talking about what I want you to talk about" isn’t worth responding to.
Re: But you don't mind Google mining info bits to track you?
Although the ability to disable Javascript was taken out of the settings/options control panel in web browsers a few years ago, that just means you have to manually edit it (ex., “about:config” in Firefox)
But then disabling Javascript means that you can’t see any of those hidden (“flagged”) comments in Techdirt, the non-pc opinions which are often the most truthful and informative comments, as well as the most discussed and debated.
Re: Re: But you don't mind Google mining info bits to track you?
Does disabling stylesheets not work any longer? (Of course it would be better for Techdirt to fix that problem so it’s not necessary.)
The Tor Browser security slider is another way to disable Javascript. At "high" it’s blocked.
Re: Re: But you don't mind Google mining info bits to track you?
I recommend allowing for two separate instances of a browser and then configure them as you please
“Are there estimates of how much money can be made here?”
Doesn’t really matter. If a company makes anything, it is pure profit because they are using visitors processors and energy. Zero costs and any payoff means a good ROI.
Re: Re:
Isn’t that considered theft of service?
Re: Re: Re:
It’s stories like this that make me miss the “Punch the Monkey, Win an iPod” ads from yesteryear.
Re: Re:
The monkey lawyered up. Now you can’t even post his picture without being sued.
Possible wrong link
Both of the first two links link to the same article.
was that intentional?
That article does mention both Pirate Bay and showtime though…
“This JavaScript code “
Ahhhh Ha – and there is the problem.
A site I frequent had this installed somehow. They removed it as soon as folks notified them. Used the web developer tools in Firefox to view the site code. Saw the call to the coinhive domain. Between Malwarebytes and Noscript, the coinhive thing never had a chance to fire off on my PC.
Added Coinhive.com to the always block rule on my stand alone firewall appliance as another layer of defense.
It is crap like this that totally destroy the “But we have to have auto load via javascript ads in order to survive” arguments many websites make. If you can’t secure your main page, how are you going to secure the automated sell to highest bidder auto load script ad?
It is a less intrusive model than advertising
I can understand that there are some teething problems. But crypto mining is certainly less of malicious than the psychological battery being perpetrated on the public by ad-tracking.
If the client side allocates a core specifically for this, then they should be fine. The problem people are experiencing with latency is likely mostly due to shitty thread handling in browser implementations, and shitty cracking code in the early versions of this tech.
That hopefully will get solved as the tech standardizes. The problem is that sites will use both, instead of using one or the other.
It would be nice to see a webring that moves entirely over to this tech, and abandons web based advertising completely. I would totally prefer sites do this, instead of web based ads.
The only way that advertising survives AI based filtering, is if the computers themselves are only rented. And I’m sure there are some lobbyists and congressmen actively working on that persuing just such a crime against the Constitution.
So we’ll see. My guess is it will be a crime to release software in the near future, unless it has fist gone through some kind of “federal modification” process. When I was a kid I had a T-shirt that said “skateboarding is not a crime”. Now I expect I will soon have one that says “programming is not a crime”. Funny how things stay the same.
Re: It is a less intrusive model than advertising
This raises an interesting question—if a web service is going to waste cycles, would you rather have those cycles go toward mining currency or your browsing habits? Resource usage being equal, the former might be preferable.
That said, I’d hardly call it “nice” to be asked to “allocate a core” for currency mining to view a bit of HTML.
Re: Re: It is a less intrusive model than advertising
What makes you think they will not be doing both … and more
Since I removed my front door for convenience, I’m having a hard time keeping burglars out. Someone should really invent something that will keep unwanted people from just walking into your home!
Not a bigger problem than corrupt politicians and banksters.
Age Verification Pop-Up - Magento® 2 Extension Out Now!!!
Age Verification Pop-Up – Magento® 2 Extension Out Now!!!