Cryptojacking scripts distribution based on site category

Almost 50% of all cryptojacking scripts (in-browser miners) are deployed on adult-themed sites, according to new numbers released this week by Qihoo 360's Netlab division.

Researchers gathered these numbers by using Netlab's DNSMon system, a tool that analyzes relations in DNS traffic between web domains.

DNSMon allowed researchers to analyze web traffic on the entire Internet level, and spot which sites loaded JavaScript code from domains known to offer in-browser mining services.

Porn sites dominate the list

According to researchers, 241 (0.24%) out of Alexa Top 100,000 websites, and 629 (0.21%) out of Alexa Top 300,000 websites are deploying JavaScript code that mines Monero using the users' CPU power, most of it without the user's permission. Also by the same numbers, Coinhive is by far the favorite cryptojacking script, found on 78% of all offending sites, with JSEcoin coming second with a 9% "market share."

Major sources of cryptojacking

Based on the meta keywords each site used to describe its content, porn sites represented the bulk of the detected domains on which researchers found JS-based mining code.

Adult sites accounted for 49%, followed by fraud sites (8%), advertising domains (7%), cryptocurrency mining (7%), and film and television streaming sites (6%).

In-browser miners found on porn sites but not gaming portals

The biggest surprise is that cryptojacking scripts were not often found on gaming-related domains, this category accounting for 1.4% of the sites in Netlab's list —which, by the way, is available for download from here.

Cryptojacking scripts are known to be efficient when loaded on sites where users spend a lot of time, allowing site operators to take full advantage of the user's computing power. Gaming and video streaming portals are considered good places to run in-browser miners, as users tend to spend a lot of time on these types of sites.

Seeing adult sites on the list is no surprise, as porn sites are usually some of the biggest offenders when it comes to intrusive and over-the-top advertising schemes. A cryptojacking script next to five malicious ads doesn't really make a difference for site operators.

But the people behind these sites are about to have a rude awakening, as Google is readying to release the first version of Chrome with a built-in ad blocker next week, while engineers have already started work on a performance tweak that's going to reduce the efficiency of cryptojacking scripts in the future.

For other users, installing ad blockers will do the trick, as most such browser extensions now also block domains associated with cryptojacking services.

Related Articles:

Coinhive Raking In Over $250,000 per Month From In-Browser Cryptomining

Massive Coinhive Cryptojacking Campaign Touches Over 200,000 MikroTik Routers

Thousands of Compromised WordPress Sites Redirect to Tech Support Scams

Over 3,700 MikroTik Routers Abused In CryptoJacking Campaigns

New Botnet Hides in Blockchain DNS Mist and Removes Cryptominer