Covert Cryptocurrency Miners Quickly Become A Major Problem
from the lessons-unlearned dept
As websites increasingly struggle to keep the lights on in the age of ad blockers, a growing number of sites have increasingly turned to bitcoin miners like Coinhive. Such miners covertly use visitor CPU cycles to mind cryptocurrency while a user is visiting a website, and actively market themselves as a creative alternative to the traditional advertising model. And while this is certainly a creative revenue generator, these miners are increasingly being foisted upon consumers without informing them or providing an opt out. Given the miners consume user CPU cycles and a modest amount of power -- that's a problem.
The Pirate Bay was forced to disable its bitcoin miner back in September, after users complained it was eating up to 90% of their available CPU cycles. Showtime was similarly caught using a bitcoin miner on two of its domains, and has yet to provide any detail on why it launched the miners or refused to inform visitors they were running. More recently, Trend Micro unveiled that at least two Android apps -- downloaded up to 50,000 times from the Google Play store -- were covertly putting crypto miners inside a hidden browser window:
Recently, we found that apps with malicious cryptocurrency mining capabilities on Google Play. These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER
[...]
This JavaScript code runs within the app’s webview, but this is not visible to the user because the webview is set to run in invisible mode by default. When the malicious JavaScript code is running, the CPU usage will be exceptionally high.
The explosion in bitcoin miners is both above and below board. There's indication that the bitcoin miners running on Showtime's domains were the result of a website hack. More recently, researchers from security firm Sucuri discovered that at least 500 websites running WordPress had been hacked, and that other publishing platforms including Magento, Joomla, and Drupal were also being consistently abused. Reddit users this week documented how Choice Hotels (owner of Comfort Inn) websites have also been compromised with cryptocurrency miners the company itself seems oblivious to.
Political fact-checking website PolitiFact also recently acknowledged it was hacked by intruders who installed bitcoin miners that quickly gobbled up visitors' CPU cycles without permission:
BREAKING NEWS: #Coinhive found on official @PolitiFact website in latest case of #cryptojacking. pic.twitter.com/czGc5aaug7
— Bad Packets Report (@bad_packets) October 13, 2017
Not too surprisingly, security firms like Malwarebytes have started blocking the miners:
The reason we block Coinhive is because there are site owners who do not ask for their users' permission to start running CPU-gorging applications on their systems. A regular Bitcoin miner could be incredibly simple or a powerhouse, depending on how much computing the user running the miner wants to use. The JavaScript version of a miner allows customization of how much mining to do, per user system, but leaves that up to the site owner, who may want to slow down your computer experience to a crawl.
And while these tools help some with malicious installs and hacks, plenty of websites still appear to think it's a good idea to run the miners without notifying users or providing a functioning opt out. Which means there are plenty of folks busy trying to combat the rise of ad blockers -- by engaging in the exact same behavior that caused the rise of ad blockers in the first place.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: coinhive, cryptocurrency, miners
Reader Comments
Subscribe: RSS
View by: Time | Thread
The problem of people discovering bitcoin miners in web sites should go away shortly.
Mostly because all the major browsers finally support WebAssembly. JavaScript (and C++ and other languages) can now be sent to your browser in compiled form, making it much harder to figure out what they're doing.
So, yay?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Imagine Netflix doing this. "Your ISP is limiting your video stream to Standard Definition. It would be a shame to waste all that GPU capability, so we'll just have the video codec also mine bitcoin while you're watching. Cheers!"
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
As well, who's to say Netflix will turn the mining off once you're done watching?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
I don't think mining coin on peeps CPU is a problem, as long as the users KNOW and have explicitly agreed too and as long as there is a fair exchange of value.
heck, I might let my machine sit and crunch for them if I get fair compensation in return.
In short, as long as all parties know & agree, then its not a problem. What I feel is fair compensation may not be what another feels is fair compensation, but that needs to be their decision.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
CPUs are not generally considered to "wear down" with usage, as long as they're properly cooled. There should be no real effect on lifespan. Even servers used at 100% for years, as in scientific clusters, are retired because more efficient computers come along, not because they've worn out.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
I expect someone is already looking at embedding JavaScript bitcoin miners in PDF files. Device and app manuals, pirated eBooks, electronic invoices, etc.
Or non-pirated eBooks. Add it to fanfic, put a cheap price on it and upload it to the eBook stores. A reader might have it open for hours, rather than a quick website visit.
I wonder if you could bypass the malware detection in the Apple or Android stores by uploading a perfectly clean app, with the bitcoin miner in the PDF manual.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Since code obfuscators exist for other environments to derail decompile efforts, I expect they'll quickly be created for WebAssembly.
[ link to this | view in chronology ]
Re:
What a great idea! Let's make it even easier for web sites to covertly run code on users' systems! I'm sure this will never be abused...
[ link to this | view in chronology ]
"Malicious"
Uh, they're not doing that out of malice (i.e. a desire to harm their users), they're doing it out of greed. An infinite loop would be easier and work just as well for malice. This is nonmalicious sociopathy, par for the course on the web (and an opt-out option wouldn't change this).
[ link to this | view in chronology ]
Re: "Malicious"
The Latin root word mal means “bad” or “evil.” This root is the word origin of many English vocabulary words, including malformed, maltreat, and malice. You can recall that mal means “bad” through malfunction, or a “badly” working part, and that it means “evil” through malice, or intentional “evil” done to another.
It's just bad, m'kay?
[ link to this | view in chronology ]
Re: Re: "Malicious"
And malice specifically means an intent to do evil or to harm others. I don't think the people running these scams give a shit about others. They've probably even got some justification so as not to consider themselves wrongdoers.
[ link to this | view in chronology ]
Re: "Malicious"
[ link to this | view in chronology ]
... probably not bitcoin
CoinHive's javascript miner mines monero, which is a wonderful, privacy-centric cryptocurrency -- but it is not bitcoin (the original cryptocurrency).
Just a point of clarity. "Bitcoin" is not generic for cryptocurrency; bitcoin is a specific cryptocurrency.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
https://hackademix.net/2017/11/14/double-noscript/
[ link to this | view in chronology ]
Re:
In all seriousness, way too many companies are designing their websites to be unusable unless Javascript is enabled.
Want to read the article? Enable Javascript so the formatting isn't screwed up.
Want to see the images in the article? Enable Javascript to see them.
Want to leave a comment on the article? Enable Javascript so the page will display the Facebook commenting system.
[ link to this | view in chronology ]
NEVER consent to crypo-currency mining on your computer by a website
I can't believe how many people I've seen at sites like reddit saying that these miners might be a good alternate to web ads, it's like they can't think ahead a few steps.
For the non-computer literate, here's why bitcoin mining in place of ads is a bad idea, even with user permission.
We're not talking about just one site using it. We're talking about the potential for many of the websites you visit to start using it in place of ads. Even people with top of the line computers will find their computers brought to it's knees if they have enough websites open running crypto-currency miners.
What's to stop people from just running crypo-currency miners? This loophole to covertly mine crypo-currency is a GREAT way for a would be hacker to potentially do other malicious things to your computer to. I GUARANTEE you we'll hear about some nasty virus in the future disguising itself as a mining app.
This is why I immediately added Crypo-currency mining to my block list in uBlock Origin the second I heard of the first story of these miner leeches.
[ link to this | view in chronology ]
Re: NEVER consent to crypo-currency mining on your computer by a website
"it's like they can't think ahead a few steps." -- Wrong! It's not "like", it's THAT, AND WON'T. --
Now, do you rail at Google using javascript to gain money? Why not? Same principle, and why I rail here at Google. But it's like you can't think ahead a few steps...
[ link to this | view in chronology ]
Re: Re: NEVER consent to crypo-currency mining on your computer by a website
[ link to this | view in chronology ]
Re: NEVER consent to crypo-currency mining on your computer by a website
And what ever makes them think that mining would only be "instead of" and not wind up "in addition to" ads? Idiots.
[ link to this | view in chronology ]
Re: NEVER consent to crypo-currency mining on your computer by a website
Both ads and miners have the risk that they will behave like parasites to the host -- gobbling up bandwidth, power, and attention. But with miners, I can imagine a future where miners will play nice, use limited resources, and become a kind of micropayment for using the website.
[ link to this | view in chronology ]
But you don't mind Google mining info bits to track you?
However, since can't turn off javascript in many browsers now, just admire the infernal ingenuity of your high-tech prison...
[ link to this | view in chronology ]
Re: But you don't mind Google mining info bits to track you?
[ link to this | view in chronology ]
Re: Re: But you don't mind Google mining info bits to track you?
Evidently Techdirt fanboys are down to one character replies.
[ link to this | view in chronology ]
Re: Re: Re: But you don't mind Google mining info bits to track you?
[ link to this | view in chronology ]
Re: Re: Re: But you don't mind Google mining info bits to track you?
k
[ link to this | view in chronology ]
Re: Re: Re: But you don't mind Google mining info bits to track you?
[ link to this | view in chronology ]
Re: Re: Re: Re: But you don't mind Google mining info bits to track you?
Apparently you're living in 2016....
You can get entirely de-centralized websites now, where the entire HTML codebase is held on multiple machines.
Tor not required, as to prevent Dcent sites you'd basically need to block 99% of all IP addresses to be sure..
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: But you don't mind Google mining info bits to track you?
[ link to this | view in chronology ]
Re: Re: Re: But you don't mind Google mining info bits to track you?
"Why aren't you talking about what I want you to talk about" isn't worth responding to.
[ link to this | view in chronology ]
Re: But you don't mind Google mining info bits to track you?
But then disabling Javascript means that you can't see any of those hidden ("flagged") comments in Techdirt, the non-pc opinions which are often the most truthful and informative comments, as well as the most discussed and debated.
[ link to this | view in chronology ]
Re: Re: But you don't mind Google mining info bits to track you?
Does disabling stylesheets not work any longer? (Of course it would be better for Techdirt to fix that problem so it's not necessary.)
The Tor Browser security slider is another way to disable Javascript. At "high" it's blocked.
[ link to this | view in chronology ]
Re: Re: But you don't mind Google mining info bits to track you?
[ link to this | view in chronology ]
Doesn't really matter. If a company makes anything, it is pure profit because they are using visitors processors and energy. Zero costs and any payoff means a good ROI.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Depends on who you are. For the little people, yes. For others it's just good business.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Possible wrong link
was that intentional?
That article does mention both Pirate Bay and showtime though...
[ link to this | view in chronology ]
Ahhhh Ha - and there is the problem.
[ link to this | view in chronology ]
Added Coinhive.com to the always block rule on my stand alone firewall appliance as another layer of defense.
It is crap like this that totally destroy the "But we have to have auto load via javascript ads in order to survive" arguments many websites make. If you can't secure your main page, how are you going to secure the automated sell to highest bidder auto load script ad?
[ link to this | view in chronology ]
It is a less intrusive model than advertising
If the client side allocates a core specifically for this, then they should be fine. The problem people are experiencing with latency is likely mostly due to shitty thread handling in browser implementations, and shitty cracking code in the early versions of this tech.
That hopefully will get solved as the tech standardizes. The problem is that sites will use both, instead of using one or the other.
It would be nice to see a webring that moves entirely over to this tech, and abandons web based advertising completely. I would totally prefer sites do this, instead of web based ads.
The only way that advertising survives AI based filtering, is if the computers themselves are only rented. And I'm sure there are some lobbyists and congressmen actively working on that persuing just such a crime against the Constitution.
So we'll see. My guess is it will be a crime to release software in the near future, unless it has fist gone through some kind of "federal modification" process. When I was a kid I had a T-shirt that said "skateboarding is not a crime". Now I expect I will soon have one that says "programming is not a crime". Funny how things stay the same.
[ link to this | view in chronology ]
Re: It is a less intrusive model than advertising
This raises an interesting question—if a web service is going to waste cycles, would you rather have those cycles go toward mining currency or your browsing habits? Resource usage being equal, the former might be preferable.
That said, I’d hardly call it “nice” to be asked to “allocate a core” for currency mining to view a bit of HTML.
[ link to this | view in chronology ]
Re: Re: It is a less intrusive model than advertising
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Age Verification Pop-Up - Magento® 2 Extension Out Now!!!
Age Verification Pop-Up - Magento® 2 Extension Out Now!!!
[ link to this | view in chronology ]