Level 30
Feb 4, 2016
Operating System
Windows 8.1
The cryptojacking trend is not showing any signs of stopping anytime soon, and recent reports highlight some peculiar new ways that miscreants have found for pushing in-browser miners down their users' throats.

Hiding in Starbucks' WiFi network
Probably the most interesting cryptojacking-related event that has taken place this month took place at a Buenos Aires (Argentina) Starbucks store.

According to Noah Dinkin, founder of an NY-based startup, the store's WiFi network was modified to inject JavaScript code in everyone's connections, embedding a copy of the Coinhive miner in all pages loaded via the Starbucks in-store WiFi.
Hiding on GitHub
Another creative method of hiding Coinhive miners was also documented this week by Sucuri experts.

The company says it noticed cryptojacking scripts hosted and loaded from GitHub repositories inside legitimate websites via hidden iframes. This is nothing groundbreaking when it comes to malware delivery, but it is the first time this tactic has been used for in-browser mining script delivery.

This is just one of the many different methods that cryptojackers have used to hide their code. Previously they tried to disguise in-browser miners as jQuery, Google Analytics, tech support widget, EU cookie consent, and Cloudflare-related JavaScript files.
Hiding in pirate video streaming services
A while back, someone launched a website named WhoRunsCoinhive that keeps track of high-profile sites using the Coinhive in-browser miner.

The website also includes a list of top Coinhive deployers. While The Pirate Bay clearly dominates that list, most of the other sites included in the ranking are illegal video streaming services.

The penchant for hosting cryptojacking scripts on video streaming services has also been noted this week by AdGuard, a company that makes an ad-blocking extension that can also block in-browser miners.

AdGuard says that it's seen cryptojacking scripts loaded on popular pirate video streaming services such as Openload, Streamango, Rapidvideo, and even video-converter portal

Unless users are using an antivirus or ad-blocking extension capable of blocking these scripts, users visiting these sites are donating their CPU power to mine Monero funds for the owners of those sites.

All in all, miscreant website owners don't seem to be deterred by the fact that antivirus companies and ad-blocker extensions are adding support for blocking in-browser mining operations, and are just swarming to cash in on their userbases before Chrome or other browsers move in to natively block cryptojacking scripts.

Last but not least, US security researcher Tory Mursch, who's been ardently tracking cryptojacking threats since September, has also discovered a new in-browser service that launched this month called Minr. At the time of writing, around 100 sites are using it.