A new phenomenon called cryptojacking is on the rise, involving cybercriminals secretly taking money from their victims, without even delivering malware to their computer or smartphone, when they visit infected websites.
Cryptojacking took off a couple months ago when Coinhive debuted the mining JavaScript on its site. Whenever a user visits a site running JavaScript, the user’s CPU will mine the cryptocurrency Monero for the site owner. Users pay for CPU on their electric bill. This may only be a small number per user (easily undetectable for the user), but will quickly add up for site owners who have many users.
On its website, Coinhive claims that the script is a way for website owners to generate revenue without ads. Coinhive offers API access for website owners to deploy a miner on their site and allow the miners to be run on user systems, without user permission. Users “pay you with just their CPU power”, according to Coinhive. Coinhive takes a 30% cut of all mining profits.
CPU mining can be a constructive tool, such as for websites raising funds for charitable causes such as Clean Water Coin. It can also be a legitimate way of raising revenue without the annoyance digital ads can provide, which have their own security issues.
Cybersecurity firm Webroot reports, however, that, “it’s clear threat actors are abusing the tactic at the victims’ expense” and points out that for slower computers navigating a site with Coinhive’s JavaScript installed, the site experience will become extremely sluggish. There are also concerns that users do not know they are being targeted in this way.
Webroot’s Senior Threat Research Analyst, Tyler Moffitt, pointed out that “using vulnerable websites to host malware isn’t new, but injecting sites with JavaScript to mine Monero is”. Monero is an anonymous cryptocurrency, which has the best hash rate on customer CPUs and has a private blockchain ledger, which stops you from tracking transactions.
Coinhive claims that there is no need to block its sites because of “mandatory” opt-ins that the user must run. Moffitt notes, however, that cybercriminals have quickly found ways to suppress or circumvent the opt-in.
Moreover, copycats to Coinhive quickly started cropping up and hackers have rapidly found ways to inject the scripts into websites like Showtime and Politificat.com, without the owners knowing, mining money for themselves out of another site’s web traffic.
There are various mitigation techniques, including a new Chrome extension called No Coin, which blocks Coinhive mining and is adding protection against additional miners.
Malware scanners, such as Malwarebytes, have started to block Coinhive and other cryptojacking scripts “because there’s no opt-in option or opt-out” and “the scripts could degrade hardware” according to Adam Kujawa, the director of Malwarebytes Labs. In his blog post in October, Kujawa said it had to undertake 130 million blocks in just a few weeks. The post described Coinhive as “a gray area” and thus told its users how to get around its block as well as the dangers they see associated with it.