A new phenomenon called cryptojacking is on the rise, involving cybercriminals secretly taking money from their victims, without even delivering malware to their computer or smartphone, when they visit infected websites.
On its website, Coinhive claims that the script is a way for website owners to generate revenue without ads. Coinhive offers API access for website owners to deploy a miner on their site and allow the miners to be run on user systems, without user permission. Users “pay you with just their CPU power”, according to Coinhive. Coinhive takes a 30% cut of all mining profits.
CPU mining can be a constructive tool, such as for websites raising funds for charitable causes such as Clean Water Coin. It can also be a legitimate way of raising revenue without the annoyance digital ads can provide, which have their own security issues.
Coinhive claims that there is no need to block its sites because of “mandatory” opt-ins that the user must run. Moffitt notes, however, that cybercriminals have quickly found ways to suppress or circumvent the opt-in.
Moreover, copycats to Coinhive quickly started cropping up and hackers have rapidly found ways to inject the scripts into websites like Showtime and Politificat.com, without the owners knowing, mining money for themselves out of another site’s web traffic.
There are various mitigation techniques, including a new Chrome extension called No Coin, which blocks Coinhive mining and is adding protection against additional miners.
Malware scanners, such as Malwarebytes, have started to block Coinhive and other cryptojacking scripts “because there’s no opt-in option or opt-out” and “the scripts could degrade hardware” according to Adam Kujawa, the director of Malwarebytes Labs. In his blog post in October, Kujawa said it had to undertake 130 million blocks in just a few weeks. The post described Coinhive as “a gray area” and thus told its users how to get around its block as well as the dangers they see associated with it.