The Wild West of drive-by cryptocurrency mining

As more and more Coinhive clones continue popping up, chances of users’ CPU power being hijacked for cryptocurrency mining are rising.

According to Malwarebytes’ latest figures, their AV solution blocked an average of 8 million cryptojacking attempts per day from late September to late October. And that’s just the attempts tied to Coinhive domains and proxies!

Censys’s search engine reveals that nearly 900 of the top one million most visited sites runs the Coinhive script.

Since its initial API was so widely abused by unscrupulous site owners and hijackers, as well as blocked by many ad blockers, Coinhive created a new API that prevents website owners from forcing the cryptomining onto their visitors without their permission.

Still, the old API hasn’t been retired, and we don’t know if or when it will.

Unfortunately, for now Coinhive is the only player in this business that is attempting to legitimize the practice of cryptocurrency mining in the browser. Others are simply trying to take advantage of the possibility of making a quick buck (or ten), while it’s still there.

A widespread nuisance

Adding a mining script could be a good move for some sites, if they reveal the fact to its users, limit the CPU usage rate, and stop showing ads. But many unscrupulous individuals are still exploiting their sites’ visitors’ computing power while also showing ads.

Unfortunately, browser-based cryptomining is currently an even better proposition for attackers who manage to compromise sites and inject the mining script without the owner’s knowledge.

In that scenario, the only winner is the attacker, while visitors get higher electrical power bills, slower machines that can overheat and suffer hardware failure, and a poor web experience, and websites (and their owners) suffer reputation damage and lose visitors.

“On its own, a hacked site may not draw much traffic, but attackers can mass scan the web for vulnerabilities and compromise hundreds, or even thousands of sites at once,” Malwarebytes analyst Jerome Segura explained.

Mining code has been already been found in WordPress, Magento, Joomla and Drupal modules, themes and plugins.

“In a few cases, threat actors are double dipping to deliver their intended payload but also inserting some cryptomining. For instance, rogue advertisers have used online ads to load the mining code surreptitiously in malvertising attacks. There is also the case of tech support scammers that use browser lockers to scare victims into thinking they have a virus. The greedy scammers thought that silently mining while users are pondering what to do was a good idea,” he added.

What’s next?

Ad blockers and antivirus vendors are doing good work by continuously adding the various mining scripts to their block lists, but the cryptojacking landscape is changing almost daily. The debate of whether or not Google Chrome should block or flag CPU mining attempts is active, but implementation of protective features is likely still far.

Add to this the fact that the mining code has been finding its way into online ads, WordPress and Magento themes and plugins.

“Browser-based cryptomining has a lot in its favor though, considering that the online ad industry has been dealt many blows over the past few years, in large part due to the increased usage of ad blockers,” Segura noted.

“In the end, the future success of web-based mining as a business model will be based on honest communication with users and the almost mandatory opt-in, which is the main characteristic that differentiates it from drive-by mining.”