The use of browsers to mine for digital currency is becoming a major problem. With more and more sites incorporating in-browser mining scripts such as CoinHive and web extensions injecting them into web pages,  people will continue to be affected by this attack.

When a browser is used for in-browser mining, the computer's CPU will be used to mine for digital currency such as Monero. This causes your CPU to run at high temperatures for extended periods of time, which could cause damage to the CPU.

Unfortunately, you may not even notice that your browser and computer is being used this way until your computer becomes slower, starts to freeze, or even shuts down from overheating. If you went into the Windows task manager, you may notice that Chrome is using an unusual amount of the CPU.

Windows Task Manager

While this indicates that Chrome is acting strange, it does not provide any information to determine what extension or tab is utilizing all of the CPU in Chrome. Thankfully, Chrome includes a little used tool called the Chrome Task Manager that makes it easy to track down the site or extension that is using a lot of CPU and possibly a in-browser miner.

Detecting sites using too much CPU

If Chrome is using too much CPU, we need to determine if its a site causing the utilization or an extension. In our example, we are using a test site created by https://badpackets.net that starts the in-browser CoinHive miner. This causes Chrome to use upwards to 90% of the CPU

To check what site is utilizing too much CPU, we can open the Chrome Task Manager by using the Shift+ESC keyboard combination or open it from the Chrome menu, then More Tools, and then Chrome Task Manager.

When the Chrome Task Manager opens, you will see a list of processes and how much CPU each is using. For each site, extension, internal process, and subframe that is open, a new process will be listed.

Site loaded miner
Site loaded miner

You can then search through the list of processes in determine which one is using up the CPU power. As you can see from the image above, the tab titled Phone Killer is the one that it using over 92% of the computer's CPU. 

To close this tab, simply click on it once to select it and then click on the End Process button. Once this tab is closed, your computer should go back to running normally and it would be a good idea to avoid that site in the future.

Detecting extensions using in-browser mining

Unfortunately, it is not always a site that is causing the CPU utilization, but rather an installed extension.

For example, as part of this article I installed the SafeBrowse extension, which loads the CoinHive miner when you start Chrome. When we open the Chrome Task Manager, it is easy to spot that this extension is the one utilizing a lot of CPU.

Extension loaded miner
Extension loaded miner

You can then double-click on the extension name in the Chrome Task Manager and Chrome will bring you to the extensions list, with this extension highlighted.  You can then remove the extension by clicking on the associated trash can as seen below. Once the extension is removed, this behavior will not happen again the next time you start Chrome.

Remove Extension
Remove Extension

Sometimes, though, the extension opens an iframe that loads the in-browser miner. When this happens, the process associated with the miner will not be listed as an extension or a tab, but something called a subframe.

Subframe loaded miner
Subframe loaded miner

Unfortunately, Chrome Task Manager does not outwardly tell you what extension has loaded that subframe. The good news is that you can simply double-click on the sub-frame and Chrome will bring you to the extensions list with the extension highlighted that the subframe belongs to.

Remove Chrome Extension with Subframe
Remove Chrome Extension with Subframe

You can then use the trash can to remove the extension so the problem does not occur again.

Protecting yourself from In-Browser Miners

Miners are becoming an epidemic and in-browsing mining is only going to get worse. Therefore, it is important that all users protect themselves by installing antivirus software that detects when a browser connects to known mining services such as CoinHive.

Unfortunately, new services keep popping up and it has become a game of whack-a-mole for the security industry. Therefore, your installed software may not detect the URL or scripts associated with a new in-browser miner. 

To add further protection, you can use an adblocker with Chrome, which will block in-browser mining scripts. For those looking for a more granular approach, you can use the CoinBlockerLists site to download lists of IP addresses and domains affiliated with in-browser mining.

Related Articles:

Cryptojacking Android Apps Continue To Plague Google Play Store

TLS 1.0 and TLS 1.1 Being Retired in 2020 by All Major Browsers

Google Adds New Rules To End Malicious Chrome Extensions

Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones

Chrome 69 Keeps Google's Cookies After You Clear Browser Data