If you haven’t heard about Coinhive yet, it can be described as a cryptocurrency miner for websites.
The developers of the new technology present it as a successful way to monetize website’s content without cluttering it with ads.
Website owners can load Coinhive JavaScript library on their websites to activate a Monero miner on their websites.
However, the miner works using visitors’ CPU power and generates revenue for the owner of the site.
Original idea! We’ll give it that. Coinhive launched on September 14, and its authors advertise it as an alternative to classic advertising.
Coinhive claims that webmasters can remove ads from their sites, and load the Coinhive library and mine for Monero using a small portion of the user’s CPU while the user is navigating the site.
Site owners can make money and support their business, but without peppering their visitors with annoying ads.
The idea got some traction, and two days after it launched The Pirate Bay ran it as a test, but dropped it after negative user feedback.
Malware operations adopt Coinhive
Unfortunately, despite the clever use of a Monero miner, Coinhive is in the situation of other useful tools that have been abused by crooks.
In the few days that have passed after it launched, Coinhive has spread to almost all corners of the malware community.
First, we saw it embedded inside a popular Chrome extension named SafeBrowse, where the Coinhive code was added to run in Chrome’s background and mine Monero at all times the browser was running.
Then, we saw Coinhive embedded in typosquatted domains.
Someone registered the twitter.com.com domain name and was loading the Coinhive JS library on the page. Users who mistyped the Twitter URL and ended up on the page would mine Monero for the site’s owner.
This would happen for only a few seconds until the user realized he was on the bad page, but that would be enough for the site’s owner to generate a profit.
In time and with more of these domains in hand, the owner of all those mistyped site URLs would make a nice profit.
While this might be a brand-new and never-heard-of technology that helps to remove ads from websites, it seems to bring a lot of user’s dissatisfaction since it slows down user’s computers while they are trying to navigate through a website that contains Coinhive miner.
Criminals are quick to abuse the new technology
Just like many useful tools and technologies, Coinhive quickly caught cybercriminals’ eyes and shortly after the launch of the new technology we noticed numerous discussions about it in the dark web forums.
It turns out that scammers quickly understood how the technology could be used in revenue making using potentially unwanted or illegal software.
One of the first examples of Coinhive abuse was SafeBrowse virus, an extension designed for Chrome browsers.
Once installed, it would mine Monero all the time the victim uses a web browser.
Besides, scammers quickly applied the technology to domains similar to ones used by highly popular social media networks, online shops or other Internet sites.
For instance, fraudsters registered twitter.com.com domain only to embed the miner in it and start earning profits using CPU power of all visitors who accidentally mistype Twitter’s domain.
Finally, tech support scammers are also among fraudsters who abuse the new technology. TrendMicro researchers have revealed that hackers who infect websites with the malicious script displaying “HoeflerText wasn’t found” pop-ups are also rerouting users to phishing websites urging to call fake tech support.
These websites contain the Coinhive Javascript which mines Monero cryptocurrency while the victim stays on the phishing website.
After that, security researchers discovered hacked sites where intruders modified the site’s source code and secretly loaded the Coinhive miner.
The miner used a configuration to mine Monero for the hacker’s personal account, but using the CPU power of unsuspecting users who accessed the hacked sites.
Researchers found hacked WordPress and Magento sites modified this way.
In addition, security experts also found one of the biggest malvertising groups deploying the Coinhive script.
Malicious ads would redirect users to tech support scams, where besides the classic fake virus alerts, crooks would also load Coinhive in the browser and mine for Monero while victims were trying to figure out if the site was valid or not.
The most recent case of Coinhive being deployed alongside malware came to light earlier today when a researcher found a site peddling a fake Java update that was also mining for Monero using Coinhive.
Cryptocurrency miners on a rise in 2017
On September 12th, researchers from Kaspersky reported about 1.65 million attempts to compromise victim’s computers with cryptocurrency miners.
The security firm says that all of these attempts were carried out in the first eight months of 2017.
In-browser miners became a problem only recently. Until now, fraudsters used to distribute malicious miners using a variety of ways, including software bundling.
The victim would install the miner unknowingly, enrolling the computer into a cryptocurrency mining botnet and experience repetitive system slowdowns regularly.
If you experience extreme slowdowns while visiting certain websites, you should know that the site might be using your CPU’s power to mine cryptocurrency.
If you are bothered by continuous system slowdowns daily, consider checking your computer with anti-malware software to identify the cause of the problem