Cryptojacking

The in-browser cryptojacking craze that has taken over the Internet is getting worse by the day and more and more sites are implementing such systems, intentionally or after getting hacked.

Malwarebytes, one of the first major antivirus companies that have added support for blocking such scripts has recently released a report detailing statistics from the last month.

According to the Malwarebytes team, Malwarebytes products have blocked on average around 8 million requests per day to domains hosting in-browser cryptocurrency mining scripts.

In total, the company says it blocked nearly 248 million requests during the entire month of October 2017, and most of these requests were for Coinhive, today's most popular in-browser Monero mining service.

Blocked cryptojacking requests

The number of actual users affected by this plague is most likely much higher. This is because Malwarebytes does not block Coinhive and similar scripts by default but prompts the user via a popup, letting users select what they want to do.

In addition, not all Internet users utilize the Malwarebytes antivirus, which means the real number of requests to mining scripts is most likely in the realm of tens of millions of requests per day.

The number is also much higher since special proxy services have popped up online that allow some website operators to evade ad blockers and antivirus solutions by tunneling Coinhive requests through other domains.

Coinhave proxy

While some websites do the right thing and ask users for permission to mine cryptocurrency inside their browser, some do not. The infosec community has been aggressively fighting back against websites that run in-browser mining scripts without the user's consent.

A website launched this month and named WhoRunsCoinhive? helps users keep track of some of these sites.

Nearly 2,500 e-commerce stores found hosting mining scripts

Another interesting finding came this week from Dutch security researcher Willem de Groot. The expert found 2,496 online shops running in-browser miners. The interesting part is that 80% of these sites also hosted credit card skimming malware that steals payment card details from stores' checkout forms.

This small detail shows that in most cases these scripts are deployed by crooks and not the website owners themselves.

This may also be the case of the official UFC Fight Pass service, which was also caught mining cryptocurrency while users were watching UFC fights.

Ironically, despite a pretty obvious screenshot and multiple users confirming the findings of security researcher Troy Mursch, the company denied it hosted the script or getting hacked to host the script.

Android game disguises mining behavior as rewards program

Last but not least, cyber-security firm Ixia published today a case study of a few Android apps that also pushed cryptocurrency miners onto users.

The Ixia research is interesting because the owner of the apps — which are still available through the official Google Play Store — has cleverly packaged the in-app cryptocurrency mining behavior as a way to win in-game currency, albeit he did not make it clear to users that their phones are actually being used to mine cryptocurrency when this happens.

Besides Android apps, new in-browser miners have also popped up online in the past few weeks, since Bleeping Computer's last cryptojacking reports [1, 2].

The new additions are Coinerra and Papoto, both discovered by Mursch. Of the two, Papoto has already made a name for itself in infosec circles after it started mass-mailing website owners offering its "new FUD browser miner" with "better payouts" when compared to the competition.

To end this article on a good note, the team behind the WordPress.org Plugins directory has officially taken a stance against plugins that package in-browser miners in their code, recently banning the "Animated weather widget by wetherfor.us" plugin.