The CPU of the visitor’s PCs was not only hot there. The official website of footballer Cristiano Ronaldo or the legal streaming portal Showtime.com from the US broadcaster CBS have also used the scrapping software in the meantime. The ad block manufacturer Adguard expects that already three weeks after the introduction of the new technology, around 500 million people visited websites worldwide every month, where such scripts were used. For most legal providers, the scrapping software was switched off after it was announced, not for the illegal. Most frequently affected by the novel malicious software are, according to Adguard streaming sites, file sharing portals, porn sites and last but not least news magazines.
How does crypto mining work?
The idea behind it is as simple as it is ingenious. The more frequently and the longer a website is visited, the greater the yield. Coinhive retains 30% of the scrapped Monero value, the remainder goes to the operators of the sites. Monero (XMR) is used because the digital mining of Bitcoin has not been worthwhile for some time. In addition, the Cryptonight, the algorithm of Monero, is perfect for the hardware of normal laptops and desktops. The computing power of graphics types can not be claimed directly from the browser, let the makers of Coinhive say in their FAQs. That would, if at all, only by means of the programming interface WebGL. But that would be hellishly complicated to program and the mining process would be much too slow and thus unprofitable.
Web sites that invite you to linger long are particularly interesting. In addition to online games, these are mostly traditional forums, where much is discussed and read. Or pages on which TV series and movies can be consumed. According to calculations by TorrentFreak The Pirate Bay could implement only by the mining monthly up to 12,000 US dollars. Provided you build the script on all pages of the torrent indexer and set the maximum CPU load on the visitor CPU. With more than 19.32 million hits per month, that would bring a lot of money together. But the service provider Cloudflare has already responded and thrown out several pirate sites that have unknowingly claimed the hardware of their visitors. No online pirate can afford a kick-out at Cloudflare, because without the effective DDoS protection of this provider you are completely defenseless. In addition, Cloudflare obfuscates the actual location of the Web servers to protect them from access by the rights holders. But the high sales expectations lure, which is why some portals from the gray area still have their scrub scripts activated.
Cybercriminals interpret Coinhive as an invitation
What began as a good idea also attracts cybercriminals to come up with completely new revenue models. Trend Micro security researchers have already found several apps in the Google Play Store that came with this scouring software. On the side of CoinHive is explicitly advised against using this code because of the high battery load, it is still done.
Security researcher Troy Mursch from Las Vegas has recently come up with a particularly inventive twist. On the day of action of numerous online shops, Black Friday, the script was hidden in the shop extension LiveHelpNow. This e-commerce vendor live chat service is used on more than 1,500 websites, according to media sources. So also with the British producer Herring Shoes, the US boxing equipment Everlast and Micron Technology, the manufacturer of flash memory brand Crucial. The cybercriminals also took advantage of the public holiday on November 23 in the United States, hoping that most administrators would not notice the strangers many hours later. So far, it is not clear how it could happen that LiveHelpNow was abused for mining by Monero.
To name just another example of unauthorized mining, several Windows PCs were infected in the summer of 2017 with a Trojan that worked on the basis of the NSA backdoor DOUBLEPULSAR. After taking over the PCs that ran on 32- and 64-bit versions of Windows, the malware first checked whether sufficient resources were available for the calculations in the background. If the CPU was too slow, the Trojan was not installed.
And even the makers of Coinhive itself seem to reject any responsibility. Compared to the P2P blog Torrentfreak a spokesman announced, you just make the server and your own script available. The operators of Coinhive do not consider it their responsibility to check where their customers come from and whether their websites comply with the applicable law. They would not have the technical resources to do so. Apparently, some hackers have misunderstood this rather progressive attitude as an invitation.
AdBlockers complicate the new business model
Similar to a knife, the miner is a double-edged sword. You can do both good and bad with it. For the maintenance of larger blogs or forums, this new form of community support may play a role in the future. You do not have to exaggerate it like Cristiano Ronaldo and put the CPU load on the maximum, less does it. And since the release of several WordPress plug-ins at the latest, every webmaster can participate in the mining process even without any programming knowledge. As long as the visitors are informed about this step and can turn it off, there is basically nothing wrong with it.