The cryptojacking trend is not showing any signs of stopping anytime soon, and recent reports highlight some peculiar new ways that miscreants have found for pushing in-browser miners down their users' throats.
Probably the most interesting cryptojacking-related event that has taken place this month took place at a Buenos Aires (Argentina) Starbucks store.
Hi @Starbucks @StarbucksAr did you know that your in-store wifi provider in Buenos Aires forces a 10 second delay when you first connect to the wifi so it can mine bitcoin using a customer's laptop? Feels a little off-brand.. cc @GMFlickinger pic.twitter.com/VkVVdSfUtT— Noah Dinkin (@imnoah) December 2, 2017
While it took Starbucks' technical department some time to resolve the issue, the Coinhive script was eventually removed ten days later, as the company stated in a tweet.
As soon as we were alerted of the situation in this specific store last week, we took swift action to ensure our internet provider resolved the issue and made the changes needed in order to ensure our customers could use Wi-Fi in our store safely.— Starbucks Coffee (@Starbucks) December 11, 2017
Another creative method of hiding Coinhive miners was also documented this week by Sucuri experts.
The company says it noticed cryptojacking scripts hosted and loaded from GitHub repositories inside legitimate websites via hidden iframes. This is nothing groundbreaking when it comes to malware delivery, but it is the first time this tactic has been used for in-browser mining script delivery.
A while back, someone launched a website named WhoRunsCoinhive that keeps track of high-profile sites using the Coinhive in-browser miner.
The website also includes a list of top Coinhive deployers. While The Pirate Bay clearly dominates that list, most of the other sites included in the ranking are illegal video streaming services.
The penchant for hosting cryptojacking scripts on video streaming services has also been noted this week by AdGuard, a company that makes an ad-blocking extension that can also block in-browser miners.
AdGuard says that it's seen cryptojacking scripts loaded on popular pirate video streaming services such as Openload, Streamango, Rapidvideo, and even video-converter portal OnlineVideoConverter.com.
Unless users are using an antivirus or ad-blocking extension capable of blocking these scripts, users visiting these sites are donating their CPU power to mine Monero funds for the owners of those sites.
Someone asked if AdBlock Plus blocks in-browser miners. Yes they do. Via the EasyPrivacy list pic.twitter.com/fkazm1GtxR— Catalin Cimpanu (@campuscodi) December 13, 2017
Also uBlock Origin pic.twitter.com/G8XGZiSpp6— Pedro Miguel (@EL_PedroMigueL) December 13, 2017
While some users argue they're willing to do so if that means they won't see any ads, the above sites still load advertisements regardless, and cryptojacking is just another way for webmasters of making a few bucks off users' backs.
All in all, miscreant website owners don't seem to be deterred by the fact that antivirus companies and ad-blocker extensions are adding support for blocking in-browser mining operations, and are just swarming to cash in on their userbases before Chrome or other browsers move in to natively block cryptojacking scripts.
Last but not least, US security researcher Troy Mursch, who's been ardently tracking cryptojacking threats since September, has also discovered a new in-browser service that launched this month called Minr. At the time of writing, around 100 sites are using it.
Image credits: Becris, Bleeping Computer