Coinhive is a popular browser-based service that offers website owners to embed JavaScript code that utilizes their website visitors’ CPUs power in order to mine the Monero cryptocurrency for monetization.
However, since its inception, mid-2017, cybercriminals have been abusing the service to illegally make money by injecting their own version of CoinHive JavaScript code to a large number of hacked websites, eventually tricking their millions of visitors into unknowingly mine Monero coins.
Since a lot of web application security firms and antivirus companies have now updated their products to detect unauthorized injection of CoinHive JavaScript, cybercriminals have now started abusing a different service from CoinHive to achieve the same.
Hackers Injecting Coinhive Short URLs into Hacked Sites
Apart from the embeddable JavaScript miner, CoinHive also has a “URL shortener” service that allows users to create a short link for any URL with a delay so that it can mine monero cryptocurrency for a moment before the user is redirected to the original URL.
According to security researchers at Malwarebytes, a large number of legitimate websites have been hacked to load short URLs unknowingly, generated using CoinHive, inside a hidden HTML iFrame in an attempt to force visitors’ browsers into mining cryptocurrencies for attackers.
“In the past weeks, our crawlers have catalogued several hundred sites using a variety of CMS all injected with the same obfuscated code that uses Coinhive’s shortlink to perform silent drive-by mining,” Malwarebytes said.
This unauthorized browser-based mining scheme that works without directly injecting CoinHive’s JavaScript was initially detected by researchers at Sucuri in late May.
Malwarebytes researchers believe that the hacked websites they discovered are part of the same ongoing malicious campaign uncovered by Sucuri researchers.
According to the researchers, hackers add an obfuscated javascript code into hacked websites, which dynamically injects an invisible iframe (1×1 pixel) into the webpage as soon as it is loaded on the visitor’s web browser.
Since the URL shortener loads using the hidden iFrame is invisible, noticing it on a web page will be quite difficult.
However, since the short-link redirection time is adjustable via Coinhive’s settings (using the hash value), attackers force visitors’ web browsers to mine cryptocurrency continuously for a longer period.
“Indeed, while Coinhive’s default setting is set to 1024 hashes, this one requires 3,712,000 before loading the destination URL,” said Jérôme Segura, a security researcher at Malwarebytes.
Moreover, once the required number of hashes have been achieved, the link behind the short-URLs further redirects the user back to the same page in an attempt to start the mining process once again, where the site visitor would trick into thinking that the web page has only been refreshed.
Crooks Also Attempts to Turns Your PC into Crypto-Mining Slave
Besides the hidden iFrame, researchers have found that cybercriminals are also injecting hyperlinks to other hacked websites in order to trick victims into downloading malicious cryptocurrency mining malware for desktops disguises as legitimate versions of the software.
“In this campaign, we see infrastructure used to push an XMRig miner onto users by tricking them into downloading files they were searching for online,” researchers said.
“In the meantime, hacked servers are instructed to download and run a Linux miner, generating profits for the perpetrators but incurring costs for their owners.”
The best way to protect yourself from the illegal in-browser cryptocurrency mining is to use a browser extension, like minerBlock and No Coin, that are specifically designed to block popular mining services from utilizing your computer resources.