Is National Geographic website mining moneta cryptocurrency

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
On nationalgeographic.com home page I've found cryptocurrency moneta mining ... In Developer Tools/Console you have this: Found mining: moneta
"Mining scheme found/stopped" by Chrome extension Mining Blocker.
On National Geographic website I see about 70%CPU load, Today March 16, 2018.

On Firefox/Inspect Element tool/DOM and Style Inspector - we read:
"Found mining: moneta bg.js:148:25
The resource at “https://se.monetate.net/js/2/a-07e257bc/p/nationalgeographic.com/entry.js” was blocked because tracking protection is enabled."
- so thanks to Firefox tracking protection!
- and "Mining scheme found/stopped" read on the icon of Firefox add-on Mining Blocker.

On the bitcointalk.org: ►【RELEASE】【MONET】★ MONETA ★【 DPI technology 】 E-Cash Peer-to-peer system - we read:
"MONETA - eCash Peer-to-peer system. Open source internet Solution with Blockchain Powerful Technologies.
MONETA is a consensus network that enables a new payment system and a completely digital money.
It is the new decentralized peer-to-peer payment network that is powered by its users with no central authority or middlemen." ...

- More and more websites are mining today...
Where are we going with this parasitic behavior?
 
Last edited by a moderator:

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Is National Geographic website mining moneta cryptocurrency topic...
Website home page: nationalgeographic.com/: National Geographic: Stories of Animals, Nature, and Culture

On nationalgeographic.com home page I've found cryptocurrency moneta mining, I think...

1. In Chrome Developer Tools/Elements I have always:
<!-- Begin Monetate ExpressTag Sync v8. Place at start of document head. DO NOT ALTER. -->
<script type="text/javascript">
var monetateT = new Date().getTime();
... "e.monetate.net/js/2/a-07e257bc/p/nationalgeographic.com/entry.js";
... </script>
then: <!-- End Monetate tag. -->

- and in Console I have:
"https://se.monetate.net/js/2/a-07e257bc/p/nationalgeographic.com/entry.js Failed to load resource: net::ERR_BLOCKED_BY_CLIENT" - that's why I don't see mining?...

2. In Firefox developer tools (right click/Inspect Element) I see under 'Dom and Style Inspector', this: "Begin Monetate ExpressTag Sync V8. Place at start of document head. DO NOT ALTER. ...script...End Monetate tag." - Maybe this is mining script, could you confirm this, please? - cause I'm not developer...
Then under Web Console, I see this:
"Found mining: moneta bg.js:148:25
The resource at “https://se.monetate.net/js/2/a-07e257bc/p/nationalgeographic.com/entry.js” was blocked because tracking protection is enabled."
- thanks to Firefox tracking protection.

So these two points above are the proof that nationalgeographic.com has mining script for mining moneta, and at every moment can start mining again, I think - could you confirm this, please?..


Mining Blocker
: link to FF add-on: Mining Blocker – Add-ons for Firefox
...and Chrome extension here: Mining Blocker
- first refresh the page - then Mining Blocker notices the mining situation: icon turns green, and tells me: "Mining scheme found/stopped".
Found - I agree, but it doesn't stop the mining script...right now there is no mining action - maybe cause my blockers?...

Today morning I don't see mining here (so 0 to 4%CPU) cause my blockers maybe, but this situation can change at all time...Yesterday morning there was 70%CPU load.
I have given you the mining proofs I think... but I would ask MT members to check the validity of my discovery...
Thank you all!

EDIT:
Now, is mining - have 50%CPU load...
 
Last edited:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,448
Thanks for the share @Prorootect

What I found is that the monetate domain is a site analytic as also can be seen in Ghostery. The same addon in Opera ( Mining Blocker ) does not activate ( light up green ) for unknown reson on National Geographic but I can confirm it does with Firefox. I asked Matt the developer because without the addon or any other layer nothing special happens on my machine. The CPU is idle around 5-8% and that's with IE, Opera and Firefox latest versions. I could ofcourse be wrong as my ISP perhaps have a unknown layer that protects me and especially since @Prorootect get's a CPU spike.

The last thing for now is that I wonder who in there state of mind would mine moneta? That cryptocurrency is worth : 0,00000005 BTC and in USD that's 0,000398. It's almost completely worthless and it's homepage/s is not active.
 
Last edited:

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Is National Geographic website mining moneta cryptocurrency topic...
Website home page: nationalgeographic.com/: National Geographic: Stories of Animals, Nature, and Culture

I'm on nationalgeographic.com' article ("As America Changes, Some Anxious Whites Feel Left Behind"): 70%CPU load on my Core #1 cryptocurrency moneta miner is by ( look on Process Hacker) latest chrome.exe instance, on PID 2700, Working Set (= Memory use) of 125.4 MB, on my Chrome fork (Cent browser).
In its process Properties/Job - I have Name: "(unnamed job)" - so I click on "Terminate" button ar its right - then instantly the article page turns grey, without content and with 0%CPU load, finally...;) - OK., it's normal.
After reload the page, article is here again, and again moneta mining mine with 70%CPU load, chrome.exe change its PID...

No rescue at all? There is no need to go barefoot? - demand my DeepL translator...

Nonetheless se.monetate.net is "blocked" in my all 3 script blockers, and Mining Blocker repeat: "Mining scheme found/stopped" - found yes, but stopped - no. But upnorth confirms that se.monetate.net "domain is a site analytic as also can be seen in Ghostery." - thank you!... but
but in Console of Developer Tools we read well: " Found mining: moneta bg.js:141 "


Now - I've 75-84%CPU load on Core #1...

- then I've found the simple ways to bring down load to 0%CPU.

But continuation of this story would be in my next post, soon... trust me.
 
F

ForgottenSeer 58943

Is National Geographic website mining moneta cryptocurrency topic...
Website home page: nationalgeographic.com/: National Geographic: Stories of Animals, Nature, and Culture

I'm on nationalgeographic.com' article ("As America Changes, Some Anxious Whites Feel Left Behind"): 70%CPU load on my Core #1 cryptocurrency moneta miner is by ( look on Process Hacker) latest chrome.exe instance, on PID 2700, Working Set (= Memory use) of 125.4 MB, on my Chrome fork (Cent browser).
In its process Properties/Job - I have Name: "(unnamed job)" - so I click on "Terminate" button ar its right - then instantly the article page turns grey, without content and with 0%CPU load, finally...;) - OK., it's normal.
After reload the page, article is here again, and again moneta mining mine with 70%CPU load, chrome.exe change its PID...

No rescue at all? There is no need to go barefoot? - demand my DeepL translator...

Nonetheless se.monetate.net is "blocked" in my all 3 script blockers, and Mining Blocker repeat: "Mining scheme found/stopped" - found yes, but stopped - no. But upnorth confirms that se.monetate.net "domain is a site analytic as also can be seen in Ghostery." - thank you!... but
but in Console of Developer Tools we read well: " Found mining: moneta bg.js:141 "


Now - I've 75-84%CPU load on Core #1...

- then I've found the simple ways to bring down load to 0%CPU.

But continuation of this story would be in my next post, soon... trust me.

Pi-Hole blocks the coin miners on this outright. Here's some of what is blocked when I hit that site.

2018-03-17 18:18:14 IPv4 www.google-analytics.com 192.168.1.102 Pi-holed
2018-03-17 18:17:59 IPv4 js-agent.newrelic.com 192.168.1.102 Pi-holed
2018-03-17 18:17:58 IPv4 cdn.segment.com 192.168.1.102 Pi-holed
2018-03-17 18:17:58 IPv4 tags.tiqcdn.com 192.168.1.102 Pi-holed
2018-03-17 18:17:58 IPv4 cdn.blueconic.net 192.168.1.102 Pi-holed
2018-03-17 18:17:58 IPv4 se.monetate.net 192.168.1.102 Pi-holed
2018-03-17 18:17:32 IPv4 www.googletagmanager.com 192.168.1.102 Pi-holed
2018-03-17 18:17:10 IPv4 stats.g.doubleclick.net 192.168.1.102 Pi-holed
2018-03-17 18:17:03 IPv4 edge.quantserve.com 192.168.1.102 Pi-holed
2018-03-17 18:17:03 IPv4 widget.quantcast.com
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,448
Took me just a few seconds to scroll through National Geographic: Stories of Animals, Nature, and Culture source code and the only thing I found linked to monetate.net was in the end :
Code:
<!-- Begin Monetate ExpressTag Sync v8. Place at start of document head. DO NOT ALTER. -->
    <script type="text/javascript">
    var monetateT = new Date().getTime();
    (function() {
        var p = document.location.protocol;
        if (p == "http:" || p == "https:") {
            var m = document.createElement("script"); m.type = "text/javascript"; m.src = (p == "https:" ? "https://s" : "http://") + "e.monetate.net/js/2/a-07e257bc/p/nationalgeographic.com/entry.js";
            var e = document.createElement("div"); e.appendChild(m); document.write(e.innerHTML);
        }
    })();
    </script>
    <!-- End Monetate tag. -->

The exact same script example is found here : Monetate Destination Documentation - Segment

Then linked to : Optimization & Personalization Platform | Monetate

 
  • Like
Reactions: Prorootect

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Took me just a few seconds to scroll through National Geographic: Stories of Animals, Nature, and Culture source code and the only thing I found linked to monetate.net was in the end :
Code:
<!-- Begin Monetate ExpressTag Sync v8. Place at start of document head. DO NOT ALTER. -->
    <script type="text/javascript">
    var monetateT = new Date().getTime();
    (function() {
        var p = document.location.protocol;
        if (p == "http:" || p == "https:") {
            var m = document.createElement("script"); m.type = "text/javascript"; m.src = (p == "https:" ? "https://s" : "http://") + "e.monetate.net/js/2/a-07e257bc/p/nationalgeographic.com/entry.js";
            var e = document.createElement("div"); e.appendChild(m); document.write(e.innerHTML);
        }
    })();
    </script>
    <!-- End Monetate tag. -->

The exact same script example is found here : Monetate Destination Documentation - Segment

Then linked to : Optimization & Personalization Platform | Monetate



Yes , but Mining Blocker works on this website (home page and some articles, not all).
And, in the first post, I wrote:
"On Firefox/Inspect Element tool/DOM and Style Inspector - we read:
"Found mining: moneta bg.js:148:25"

- then in the Post #3 I wrote:
"Then under Web Console, I see this:
"Found mining: moneta bg.js:148:25"

... and in the Post # 5:
"but in Console of Developer Tools we read well: " Found mining: moneta bg.js:141 "

...and CPU load of 70% sometimes...result of mining, it's not?
 
  • Like
Reactions: frogboy and upnorth

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Pi-Hole blocks the coin miners on this outright. Here's some of what is blocked when I hit that site.

2018-03-17 18:18:14 IPv4 www.google-analytics.com 192.168.1.102 Pi-holed
2018-03-17 18:17:59 IPv4 js-agent.newrelic.com 192.168.1.102 Pi-holed
2018-03-17 18:17:58 IPv4 cdn.segment.com 192.168.1.102 Pi-holed
2018-03-17 18:17:58 IPv4 tags.tiqcdn.com 192.168.1.102 Pi-holed
2018-03-17 18:17:58 IPv4 cdn.blueconic.net 192.168.1.102 Pi-holed
2018-03-17 18:17:58 IPv4 se.monetate.net 192.168.1.102 Pi-holed
2018-03-17 18:17:32 IPv4 www.googletagmanager.com 192.168.1.102 Pi-holed
2018-03-17 18:17:10 IPv4 stats.g.doubleclick.net 192.168.1.102 Pi-holed
2018-03-17 18:17:03 IPv4 edge.quantserve.com 192.168.1.102 Pi-holed
2018-03-17 18:17:03 IPv4 widget.quantcast.com

Yes all these are blocked here in Chrome extensions: Domain Whitelist, ScriptSafe, Script Blocker for Chrome I use.

Firefox native tracking protection blocks cryptocurrency miners.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,448
The CPU load you get could for sure be a result of mining. I agree but I highly doubt it's from the monetate.net script as that is connected to a Analytic site and not a mining platform.

The moneta bg.js is interesting but I am not able to find that in the source code so could you please see if you can find the exact spot/place where it's located? A screenshot could help.
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
"But continuation of this story would be in my next post, soon... trust me."

- So here you have 5 (five) easy methods blocking cryptocurrency mining - by Firefox/Chrome add-ons/extensions I use:


1. Block your main domain in "Script Blocker for Chrome" extension - result: no mining (CPU load 0%), no images.

2. Block main domain in ScriptSafe - result: no mining, no images.

3. Block all scripts in Policy Control (Firefox and Chrome) - result: too CPU load 0%, no images.

4. Blacklist the webpage by click on YesScript add-on icon - so no more images, and no more mining.

5. Click on BehindTheOverlay icon and left the little window on the website page - you get instantly 0%CPU load (so mining are stopped), and for reading further down, close small window, scroll further down, then click again on icon etc etc.


If you have more tips, post here, please.
 
Last edited:
D

Deleted member 65228

The snippet @upnorth posted which is executed locally as the script is embedded within the main document, here's a break-down.

Code:
<script type="text/javascript">
var monetateT = new Date().getTime();
(function() {
var p = document.location.protocol;
if (p == "http:" || p == "https:") {
var m = document.createElement("script"); m.type = "text/javascript"; m.src = (p == "https:" ? "https://s" : "http://") + "e.monetate.net/js/2/a-07e257bc/p/nationalgeographic.com/entry.js";
var e = document.createElement("div"); e.appendChild(m); document.write(e.innerHTML);
}
})();
</script>

1. The monetateT variable is actually obsolete, it's not referenced at all therefore it shouldn't even still be there. You can ignore that, the website developers haven't cleaned their code up for awhile it seems.
2. A check is made to determine whether the current website supports Hyper Text Transfer Protocol (HTTP) or Hyper Text Transfer Protocol Secure (HTTPS) - well, which one it currently is.
3. JavaScript is injected into the document.

#3 - different source will be used for the injected JavaScript depending on whether the protocol is HTTP or HTTPS. If the protocol is HTTP then the JavaScript injected and executed locally will be sourced from http://e.monetate.net/js/2/a-07e257bc/p/nationalgeographic.com/entry.js whereas if the protocol is HTTPS then the JavaScript will be sourced from https://se.monetate.net/js/2/a-07e257bc/p/nationalgeographic.com/entry.js.

The local injection works by creating a new HTML element (a <div></div>) and then inserting the element holding the dynamically-linked script within the newly created <div>. The document.write being carried out completes the job.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,448
Lost my patience waiting for source number four ( F-Secure ) that promised me to get back but never did and not even after 2 previous separate submissions where I did select the option for feedback. Plump in my book on there customer support.

After reaching out and submitted the url and also sharing this thread three other vendors did an analysis and here are there reports.

Heilig Defense
Nothing on NatGeo caused any type of mining reaction on our systems.

GData
We have analyzed the website you reported, but could not identify any malicious code.

Heimdal Security
We do not consider nationalgeographic.com as malicious. No details that point towards it being infected.
 
Last edited:
  • Like
Reactions: Prorootect

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Lost my patience waiting for source number four ( F-Secure ) that promised me to get back but never did and not even after 2 previous separate submissions where I did select the option for feedback. Plump in my book on there customer support.

After reaching out and submitted the url and also sharing this thread three other vendors did an analysis and here are there reports.

Heilig Defense

GData

Heimdal Security
Thank you wery much upnorth for your actions and findings! Heilig Defense response is best!

My questions are valid, for Today too:
Why I have, now, after starting home page of NationalGeographic.com: National Geographic: Stories of Animals, Nature, and Culture - 50-70%CPU load on CPU core #1 only (for a few minutes, and this load change sometimes to 0%CPU load) - on Chrome (Cent), with Mining Blocker activated, on green, which says "mining scheme found-stopped"... so no changes since I've posted this topic...
In Firefox, Mining Blocker is activated, but CPU load is 0%.

In Developer Tools/Console:
"chrome-extension://pdfmjofghakibffjolhholonbdoajbna/bg.js:141 Found mining: moneta"

/etc/designs/platform/v3/scripts/ngs-global.ngsversion.5aab2046.js:7
"Unable to load page menus. Please refresh the page.
Menu items will populate when data is loaded." - highlighted in red...

"Mixed Content: The page at 'National Geographic: Stories of Animals, Nature, and Culture' was loaded over HTTPS, but requested an insecure image 'http://www.nationalgeographic.com/false/'. This content should also be served over HTTPS."
 
  • Like
Reactions: upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top