Cryptojacking

The cryptojacking trend is not showing any signs of stopping anytime soon, and recent reports highlight some peculiar new ways that miscreants have found for pushing in-browser miners down their users' throats.

Hiding in Starbucks' WiFi network

Probably the most interesting cryptojacking-related event that has taken place this month took place at a Buenos Aires (Argentina) Starbucks store.

According to Noah Dinkin, founder of an NY-based startup, the store's WiFi network was modified to inject JavaScript code in everyone's connections, embedding a copy of the Coinhive miner in all pages loaded via the Starbucks in-store WiFi.

While it took Starbucks' technical department some time to resolve the issue, the Coinhive script was eventually removed ten days later, as the company stated in a tweet.

Hiding on GitHub

Another creative method of hiding Coinhive miners was also documented this week by Sucuri experts.

The company says it noticed cryptojacking scripts hosted and loaded from GitHub repositories inside legitimate websites via hidden iframes. This is nothing groundbreaking when it comes to malware delivery, but it is the first time this tactic has been used for in-browser mining script delivery.

This is just one of the many different methods that cryptojackers have used to hide their code. Previously they tried to disguise in-browser miners as jQuery, Google Analytics, tech support widget, EU cookie consent, and Cloudflare-related JavaScript files.

Hiding in pirate video streaming services

A while back, someone launched a website named WhoRunsCoinhive that keeps track of high-profile sites using the Coinhive in-browser miner.

The website also includes a list of top Coinhive deployers. While The Pirate Bay clearly dominates that list, most of the other sites included in the ranking are illegal video streaming services.

The penchant for hosting cryptojacking scripts on video streaming services has also been noted this week by AdGuard, a company that makes an ad-blocking extension that can also block in-browser miners.

AdGuard says that it's seen cryptojacking scripts loaded on popular pirate video streaming services such as Openload, Streamango, Rapidvideo, and even video-converter portal OnlineVideoConverter.com.

Unless users are using an antivirus or ad-blocking extension capable of blocking these scripts, users visiting these sites are donating their CPU power to mine Monero funds for the owners of those sites.

While some users argue they're willing to do so if that means they won't see any ads, the above sites still load advertisements regardless, and cryptojacking is just another way for webmasters of making a few bucks off users' backs.

All in all, miscreant website owners don't seem to be deterred by the fact that antivirus companies and ad-blocker extensions are adding support for blocking in-browser mining operations, and are just swarming to cash in on their userbases before Chrome or other browsers move in to natively block cryptojacking scripts.

Last but not least, US security researcher Troy Mursch, who's been ardently tracking cryptojacking threats since September, has also discovered a new in-browser service that launched this month called Minr. At the time of writing, around 100 sites are using it.

Image credits: Becris, Bleeping Computer

Related Articles:

Sixteen Arrested After Deploying Coinminers Across Internet Cafes in 30 Cities

You Can File Complaints About Cryptojacking With the FTC

Drupal Sites Fall Victims to Cryptojacking Campaigns

Hacker Breaches Syscoin GitHub Account and Poisons Official Client

CoinMiner Campaigns Move to the Cloud via Docker, Kubernetes