The operator of at least one website has been spotted using small windows hidden under the user's Windows taskbar to continue to operate an in-browser miner even after the user closed the main browser window.
Discovered by Malwarebytes researcher Jerome Segura, the miscreants behind this campaign utilize a tactic known as a pop-under, a trick that allows them to spawn a new window, separate from the main browser.
According to Segura, this website — an adult portal— used the following formula to dynamically calculate the position of this new window.
Unless users have transparency enabled with their OS interface, they would have no chance at spotting this hidden window, unless they went looking for rogue processes inside the Windows Task Manager.
Furthermore, unlike most other cryptojackers, the script does not utilize the user's full CPU power, but limits its activity to lower values, hoping not to induce a slowdown of the user's computer.
According to Segura, if users spot something wrong, they can use the Windows Task Manager to kill the rogue browser process associated with this window, or resize the Windows taskbar and force the window to become visible.
At the time of writing, this technique appears to work only with Chrome browsers and has been spotted just on one single site —yourporn[.]sexy.
Malwarebytes said in a report released earlier this month that its security product blocks 8 million requests to cryptojacking services on a daily basis. Most security products and ad-blocking browser extensions come with support for blocking in-browser miners.
Bleeping Computer has tracked most major cryptojacking events since mid-September when these types of attacks became trendy (again) after the launch of the Coinhive service.
In the early 2010s, when Bitcoin mining was still profitable, US authorities stepped in to shut down a similar service called Tidbit.
This article was based on a Malwarebytes investigation provided to Bleeping Computer ahead of publication. We will update our story with a link to Malwarebytes' detailed report once it is available on the company's official website. UPDATE: The report is now live here.