Monero Miners

Ever since mid-September, when Coinhive launched and the whole cryptojacking frenzy started, the Internet has gone crazy with in-browser cryptocurrency miners, and new sites that offer similar services are popping up on a weekly basis.

While one might argue that mining Monero in a site's background is an acceptable alternative to viewing intrusive ads, almost none of these services that have recently appeared provide a way to let users know what's happening, let alone a way to stop mining behavior.

In other words, most are behaving like malware, intruding on users' computers and using resources without permission.

Coinhive clones everywhere!

We've already covered Coinhive's impact on the malware scene and its quick adoption by malware authors in a separate report. Since then, we also reported on Crypto-Loot, the first Coinhive clone to pop up online.

Since our last reports on Coinhive and Crypto-Loot, respectively, the in-browser cryptocurrency mining market has become incredibly crowded.

Bleeping Computer spotted two new services named MineMyTraffic and JSEcoin, while security researcher Troy Mursch also spotted Coin Have and PPoi, a Coinhive clone for Chinese users.

On top of this, just last night, Microsoft spotted two new services called CoinBlind and CoinNebula, both offering similar in-browser mining services, with CoinNebula configured in such a way that users couldn't report abuse. Furthermore, none of these two services even have a homepage, revealing their true intentions to be deployed in questionable scenarios.

Monero miners spreading to WordPress plugins

On top of this, the cryptojacking craze has also spread to WordPress plugins. Bleeping Computer spotted three plugins uploaded on the official WordPress repo in the past week: WP Monero Miner with Coin Hive (now removed), Simple Monero Miner – Coin Hive, and Coin Hive Ultimate Plugin.

While it's not illegal to run an in-browser miner on your WordPress site, none of these WordPress plugins or any of the above-mentioned services provide a way to let users know what's happening.

From research on the topic, in-browser miners are usually deployed on questionable websites, such as piracy portals, illegal streaming services, adult portals, and others. A study by Palo Alto of over 1,000 sites engaged in cryptojacking found that 35% of these sites were hosted on .download and .bid domains.

Other cases where you'll generally find cryptojacking these days is on hacked legitimate websites, where this happens without the site owner's knowledge.

This is exactly what happened last week when Mursch spotted a cryptocurrency miner on PolitiFact, a well-known US politics portal. In the end, site admins removed the script, stopping short of admitting they were hacked.

Similar legitimate sites that deployed in-browser miners in what looked to be hacking incidents include Showtime, AirAsia, TuneProtect, and the official website of Real Madrid soccer star Cristiano Ronaldo.

Coinhive takes steps into the right direction

Most of the newly spotted Coinhive clones are exactly what you think they are. These are sites that provide a Monero miner specifically built for stealth mining, most likely created and ran for malicious purposes.

Of all the sites we have inspected, only the original Coinhive seems to be interested in being a valid alternative to classic ads. Recently, the service launched a UI widget that lets users start or stop the mining process.

Coinhive UI demo

The service took another step in the right direction this week on Monday, when Coinhive launched AuthedMine, a service similar to the original Coinhive service, but which won't start until the user clicks an opt-in.

Coinhive launched AuthedMine after criticism from the media, the public, and after ad blockers and antivirus vendors blocked its main domain because of the repeated abuse.

In fact, if you were to access the AuthedMine domain right now, you'd see a note addressed to ad blockers and antivirus vendors begging them not to blacklist this domain too.

A Note to Adblock and Antivirus Vendors

There is no need to block AuthedMine.com or any scripts hosted on this domain.

AuthedMine.com offers a Monero miner that can be embeded into other Websites. This miner will only ever run after an explicit opt-in from the user. The miner never starts without this opt-in.

AuthedMine homepage

From Bleeping Computer's previous reports on cryptojacking, many users said they are OK with websites mining Monero in the background if they don't see ads anymore.

The problem is that most of the places where cryptojacking has been spotted still ran hoards of ads. Furthermore, a Trustwave report highlights that running an in-browser miner is not actually free, and this may end up in extra costs for a user's electricity bill.

For example, Trustwave estimates the cost of in-browser miners at an extra $5.45 added on top of the normal monthly bill for someone living in Singapore, an extra 12.50$ for German users, $13.80 for Australians, and $5 for Americans ($10.50 for Hawaiians).

If you'd like to safeguard your CPU from being hijacked by sites using Coinhive, Crypto-Loot, and other in-browser miners, users can use an ad blocker or a modern antivirus. Disabling JavaScript is not an option, since most sites these days rely on it and most W3C APIs do too.