The author, David Balaban, is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation.
Coinhive the first browser-based cryptocurrency mining project is becoming a source of income for the Internet malefactors. Its evolution promptly shifts from monetizing website traffic to a workflow of which the army of crypto-crooks benefit.
The design is unique and smart. Well done! Coinhive developers claim it is the best replacement for boring ads. All it needs is an access to the CPU of the device. Websites raise funds while their visitors are enjoying ads-free browsing.
Shortly after the release of the app, the Pirate Bay hosted it for a while. As the visitors’ feedback was unwelcome the Pirate Bay got rid of the novelty.
Alternate explanation suggests the approval was in place, but only for the trial mode. This theory sounds more likely. SetThrottle estimates the Coinhive was running only 3% of the time. In the case of a hack, this ratio would definitely be higher. The alleged intruder would realize the risk of being detected, hence try to get as much as possible as soon as possible.
Latest estimate reveals that top-100 websites like the Pirate Bay may earn 27.5 XMR per month, which is roughly $12,000. Since the Pirate Bay is among top-100 most visited websites, while the Showtime is only at the end of the top 10,000, the latter would earn much less than the former.
Good intentions pave the way to hell. The design of Coinhive is no crime, but the miner follows the sad path of a number of other useful solutions harnessed by crooks. In less than a week after the developers introduced their Monero-making product, the cyber-criminals integrated it widely and deeply into their scams.
Besides, the miners also practice URL hijacking. For instance, the hackers registered a typo-squatted Twitter website, Twitter.com.com (not active anymore). Should you enter the Twitter that way, your browser is to launch the Monero-mining page instead of the true Twitter. Needless to say, you are not going to keep the page open, but even a short visit contributes to the miners’ business. Finally, a number of such misleading websites may generate decent revenue for their holder.
Experts predict the integration of Monero into adware is but a matter of time. Most likely, the crooks are to integrate it into browser hijackers. There is hardly any obstacle that would prevent the adware developers from modifying the original payload of their infections to include the background mining with the Coinhive script.
The Coinhive release is available to anyone willing to mine. Its developers claim they assume no liability whatsoever for the way the app is to be used. The hackers do not care either misusing the miner in every possible way.
Already now, the public has labeled Coinhive mining a crypto-jacking due to its hijacking browsers for the unauthorized mining purposes.
IT security is preparing to withstand wide-scale crypto-jacking campaigns. Major anti-adware vendors blacklisted the Coinhive almost immediately upon its release.
Big news like WannaCry and other ransomware cases, CCleaner and Equifax hacks have already marked this year for IT security, but mining for Monero and other coins is very likely to top the ongoing hacking. Adware is readily available to support the mining scam.
Malware research labs report observing over 1.5 million devices hit by mining apps. The report covers only first half of this year and only 100% confirmed cases. The cryptocurrency miners are also increasingly landing on corporate networks.
The Coinhive developers are proud to admit their tool is way more popular than they could ever dream but their dreams come true in an awkward, if not ugly, way. Hackers heavily misuse the solution and combine it with malware.