The browser cryptojacking scene has just expanded from one player to two with the recent launch of the Crypto-Loot service, a website that's eerily similar to the now notorious Coinhive in-browser miner.
While both services allow website owners to keep the Monero funds mined on users' computers, there is a big difference in the revenue share. Compared to Coinhive, which keeps 30% and gives 70% to site operators, the upstart Crypto-Loot is trying to pull the rug from under Coinhive's feet by asking for only 12% and giving website owners 88%.
Even if both are entirely legitimate services, these tools have been most often deployed by abusive site operators that mine for Monero without letting users know, without getting user approval, or without providing users with a way to turn the crypto-mining behavior off.
The number of cryptojacking abuses was so high compared to legitimate use cases that in a recent Twitter poll, 77% of all respondents considered in-browser mining technology as "malware," even if some sites did their due diligence and informed users in advance.
What's your opinion on Coinhive's in-browser mining technology?— Catalin Cimpanu (@campuscodi) September 25, 2017
While Crypto-Loot is a relatively new addition to the cryptojacking scene, it's still a small player, but we don't doubt we'll see it abused, just like Coinhive.
The last time we covered Coinhive abuses, we reported malware authors embedding the library in Chrome extensions, typosquatted domains, and malvertising campaigns.
The script also made its presence felt on some big-name domains such as The Pirate Bay and Showtime, but also in many more domains from the Alexa Top 1 Million.
The most notorious incidents involving sites secretly loading CoinHive mining scripts without telling users are the websites of AirAsia, TuneProtect, and the official website of Real Madrid star Cristiano Ronaldo. Another list of affected sites is available in this Cyren blog post.
In addition, some Tor2Web proxies have also started to inject Coinhive scripts. A user might be accessing a Dark Web portal from his normal browser, but in reality, the Tor2Web proxy is secretly mining Monero on his PC.
A place where the Coinhive script was properly included is Iridium, a Chrome extension for fine-tuning YouTube's interface. The Coinhive miner is enabled by default, but the extension's developer provided an option to turn the crypto-mining behavior off in case users experienced sluggish behavior.
Another proper use of Coinhive is PublicHD, a private torrent tracker, which allows users to gain site credits by letting the site operator mine Monero on their machines.
Users that want to block such crypto-mining scripts on their PCs have a series of alternatives at their disposal.
First, users can use any decent antivirus. Most antivirus vendors have already blocked Coinhive or at least are now providing an alert and possibility to block the script at the user's command.
Fourth, users can use this classic Windows hosts trick to block the Coinhive or Crypto-Loot domains at the OS level.
And if you're too lazy, then rest assured that some companies like Cloudflare are at least booting some of these sites off their network.