The Internet Is Ripe With In-Browser Miners and It's Getting Worse Each Day

LASER_oneXM

Level 26
Content Creator
Joined
Feb 4, 2016
Messages
1,512
OS
Windows 8.1
Antivirus
Kaspersky
#1
Ever since mid-September, when Coinhive launched and the whole cryptojacking frenzy started, the Internet has gone crazy with in-browser cryptocurrency miners, and new sites that offer similar services are popping up on a weekly basis.

While one might argue that mining Monero in a site's background is an acceptable alternative to viewing intrusive ads, almost none of these services that have recently appeared provide a way to let users know what's happening, let alone a way to stop mining behavior.

In other words, most are behaving like malware, intruding on users' computers and using resources without permission.
Coinhive clones everywhere!
We've already covered Coinhive's impact on the malware scene and its quick adoption by malware authors in a separate report. Since then, we also reported on Crypto-Loot, the first Coinhive clone to pop up online.

Since our last reports on Coinhive and Crypto-Loot, respectively, the in-browser cryptocurrency mining market has become incredibly crowded.

Bleeping Computer spotted two new services named MineMyTraffic and JSEcoin, while security researcher Troy Mursch also spotted Coin Have and PPoi, a Coinhive clone for Chinese users.
..
.....
..
On top of this, just last night, Microsoft spotted two new services called CoinBlind and CoinNebula, both offering similar in-browser mining services, with CoinNebula configured in such a way that users couldn't report abuse. Furthermore, none of these two services even have a homepage, revealing their true intentions to be deployed in questionable scenarios.
Coinhive takes steps into the right direction
Most of the newly spotted Coinhive clones are exactly what you think they are. These are sites that provide a Monero miner specifically built for stealth mining, most likely created and ran for malicious purposes.

Of all the sites we have inspected, only the original Coinhive seems to be interested in being a valid alternative to classic ads. Recently, the service launched a UI widget that lets users start or stop the mining process.



The service took another step in the right direction this week on Monday, when Coinhive launched AuthedMine, a service similar to the original Coinhive service, but which won't start until the user clicks an opt-in.


Coinhive launched AuthedMine after criticism from the media, the public, and after ad blockers and antivirus vendors blocked its main domain because of the repeated abuse.
 

Opcode

Level 28
Content Creator
Joined
Aug 17, 2017
Messages
1,733
#2
It was always bound to happen; miners being distributed in software-form were starting to get much more popular also. Now there are web-based in-browser miners, attackers will move to this as the chances of it providing successful results maybe higher than when in software form.

Thankfully, there are script blockers which can prevent crypto-currency mining when we are browsing online. More importantly though, we need to make sure we understand what websites we are viewing and to only view trusted and reputable websites to prevent running into anything harmful or unwanted in the first place if possible.

Some services (e.g. there was one VPN provider which does this now) actually allow crypto-currency mining as a form of payment to use services now. I am not sure how many people were in favour of such a thing though...

Crypto-currency mining may be attempted to be used as an alternate to advertisements, but then it will just be blocked like how ad-blockers were released to stop advertisements. And the chances are, it'll be easier for us to block crypto-currency miners than not. When I use an ad-blocker, I don't think I ever really run into advertisements at all.
 
Joined
Oct 18, 2017
Messages
38
OS
Other OS
#3
understand what websites we are viewing and to only view trusted and reputable websites to prevent running into anything harmful or unwanted
Strongly agree with that statement.
Here is a trusted No Script addon for fireofx which will stop those crypto-currency mining. Keep in mind most of the websites will look broken if you use such extension. :(
NoScript Security Suite
 
Joined
Feb 10, 2017
Messages
1,005
OS
Windows 10
Antivirus
Comodo
#4
For anyone using AdGuard, you're already opt-in (although I'm not sure which miners this applies to besides Coinhive).


My issue isn't with the mining itself but the fact you can't tell if the website is using one of said miners to generate revenue in place of ads (which I have little problem with as it doesn't infringe on my privacy and can't serve up an exploit kit or malware) or if the website has been compromised and the miner's been inserted to funnel money to blackhats.
 
Last edited:

Opcode

Level 28
Content Creator
Joined
Aug 17, 2017
Messages
1,733
#6
Thanks for the heads up on this and I'll admit I'm a little thick but even after reading the article in the link at the top I don't see what it is their mining.
Crypto-currency. :) Such as Bitcoin, Ethereum, SiaCoin (BTC, ETH, SC).

Crypto-currency are basically currencies which are not "legally used" in real-life but are digital-based. By "legally" I don't mean they are illegal, anyone can use crypto-currency currencies... But the fact is that they are often used for online criminal activity online, via the dark-web for instance. This is because they may be more "anonymous" than using normal currencies via services like PayPal, but that doesn't mean they are full-proof because 100% anonymity/privacy doesn't exist.

Crypto-currency can be exchanged for normal currencies (e.g. BTC to PayPal or Bank Transfer exchanges) on other market-places or with individuals, and then the received money from the exchanged would be usable in the real-world (normal sites like Amazon, in shops via your credit card after the bank transfer, etc.).

Crypto-currency is popular with "trading" as well. For instance, a coin is being sold cheap so you buy a large majority and then if the price increases you sell them and make a profit. People have actually profitted in the hundreds of thousands or millions due to this but it is rare for this to happen to the average person with such a large amount of profit. Completely legal to do this though (there isn't even an age restriction as they aren't seen as "legal currencies" for usage in the real world AFAIK).

Mining crypo-currency is basically generating money through using your system resources.

If you get yourself an ad-blocker like Adguard they are already cracking down on in-browser miners so you'll be safer against them. Signs of mining occurring in-browser could be factors such as high CPU usage from your browser, even while the web-page doesn't seem very demanding at all (I'd imagine at least).
 

Opcode

Level 28
Content Creator
Joined
Aug 17, 2017
Messages
1,733
#8
Bastardso_OCan you elaborate on this.
I am not knowledgeable in-depth on crypto-currency mining, I am just starting to research it further. However, the way it works is operations will be performed using your system resources and as a result the people responsible for the mining make money in crypto-currency form. In a situation like you having an active miner either in software or web-form, the owners of it would be making the money while using your system resources... :/

If your resources are used up a lot and for a very long duration, it can also reduce life time of used components. Maybe it is unrealistic to say that systems are damaged in a normal situation but it would be like running an AV scan 24/7 which never stops and keeps in a loop to re-scan recursively, eventually the hardware components will die off due to being overused so much without break.

Active crypto-currency mining will slow you down though I'd imagine since your resources will be used up for other things, leaving less available for things you need to do yourself on your own computer.

It is not uncommon for people to buy good hardware components in bulk for custom builds for use with mining, but there is usually specific hardware designed for mining. I remember recently a lot of GPUs were out of stock because of people wanting to mine a new currency type which there was no specific hardware designed for it, or something alike that.
 

LASER_oneXM

Level 26
Content Creator
Joined
Feb 4, 2016
Messages
1,512
OS
Windows 8.1
Antivirus
Kaspersky
#10
I am not knowledgeable in-depth on crypto-currency mining, I am just starting to research it further. However, the way it works is operations will be performed using your system resources and as a result the people responsible for the mining make money in crypto-currency form. In a situation like you having an active miner either in software or web-form, the owners of it would be making the money while using your system resources... :/

If your resources are used up a lot and for a very long duration, it can also reduce life time of used components. Maybe it is unrealistic to say that systems are damaged in a normal situation but it would be like running an AV scan 24/7 which never stops and keeps in a loop to re-scan recursively, eventually the hardware components will die off due to being overused so much without break.
... yeah... ...thats right.... ...now there is a risk that visiting sites on the web could cause serious damages to your local hardware (e.g. overheating) .... :mad:
 
Joined
Apr 5, 2017
Messages
439
OS
Windows 7
Antivirus
Emsisoft
#11
What a brilliant explanation @Opcode, thank you. I had obviously read about mining on here but didn't really understand it (surprise, surprise) but today i have actually learnt something, woo hoo, get me (y) P.S. - I have "no coin" extension to help protect me in some way.
 

_CyberGhosT_

Level 52
Trusted
Joined
Aug 2, 2015
Messages
4,178
OS
Linux Mint
Antivirus
Default-Deny
#13
For those of us that use AdGuard, Boo-Berry over that the AdGuard site has the following added to his "User Rules"

To block Coin Hive:
In addition, I also have these CoinHive rules in my user filter to fully block it.

Code:
||coin-hive.com/lib/coinhive.min.js^$script,empty
||coin-hive.com/lib/cryptonight.wasm
If you want to completely block the CoinHive domain, use this rule (keep in mind you won't be able to visit coin-hive.com with this rule!):

Code:
||coin-hive.com^$empty
Using this last rule is a bit extreme, but it does work.
Quoted from ( Source): Coinhive & similar blocking

** Here you can get a hold of the "Nocoin" list, as well as some other lists you may have not known about or had access to: FilterLists
I added 2 and all I did was click on "Add" and AdGuard did the rest.
Hope this helps. PeAcE
 
Last edited:

Opcode

Level 28
Content Creator
Joined
Aug 17, 2017
Messages
1,733
#15
Yeah, this is the new future, not ads, not malvertizing, but this.... Mining.
If it allows them to make money then they will do it. Mining has a reduced risk on punishment as well compared to malvertising I'd imagine, which will probably encourage people to do it more than things like that.

Don't worry about it IMO. We will tackle mining just as good as we do when it comes to advertisements/malicious advertisements and pop-ups soon. If you see the post by @_CyberGhosT_ above ( The Internet Is Ripe With In-Browser Miners and It's Getting Worse Each Day ) we can see that Adguard is very useful right now too :)

They aren't going to win without a fight... make them cry and wish they never wasted their time trying to be successful with it!!
 

Opcode

Level 28
Content Creator
Joined
Aug 17, 2017
Messages
1,733
#18
How?what is the relation between CPU usage and bitcoin? I don't understand it:notworthy:
Your system power is used to mime bitcoin. The CPU (Central Processing Unit) is the heart of instruction execution on your system (usually - in a way we are leaning towards GPU technology for the future I think), thus your CPU usage increases.
 
Joined
Nov 25, 2017
Messages
1
OS
MacOS High Sierra
Antivirus
Avast
#20
SO I just re install OS sierra .... lol got backups on usb/ prob infected . got the cryptonight tri .. in avast picks it up only in log var/db/uuidtext/7b/bc...64
malwarebytes does not pick up on it. once I reboot it finds it in the var/db//// folder under same file name..... was a miner for mac that got me.