What do Vegas hookers, Colombian government, and 30,000 other sites have in common? Crypto-jacking miners
Someone’s potentially getting rich – and it isn’t you
Over the past few months there has been an alarming rise in the number of websites running code that silently joyrides computers and secretly makes them mine digital currency for miscreants.
For example, DNS provider ZoneEdit was running Coinhive code on 324 parked web domains: on Monday this week, the biz coughed up to the sneaky inclusion and removed the software. Las Vegas ladies of the night were also mining crypto-currency on punters' PCs. A Colombian government agency's website was hijacked to covertly craft coins. A parody website was even created to "warm" your MacBook as winter approaches: obviously, it was running a miner.
Let's get ready to grumble! UFC secretly choke slams browsers with Monero minersREAD MORE
In addition, it appears that many of these mining operations are being run by one person. Mursch found that one “Mohammad Khezri” of Iran seems to be controlling a vast number of mining operations spread across many domains to maximize his returns.
Naturally not many people are wild about contributing their power and CPU cycles to make strangers money. Antivirus packages and ad blockers now actively shut down Coin Hive's code in browsers. The miner's programmers are fine with that, and have stopped developing the software in favor of AuthedMine, which asks people's permission before mining – however, the original sneaky code is still the go-to miner of choice for online crims.
There are alternatives, such as JSECoin, that are being picked up by site owners and scumbags.
In the meantime, Mursch has urged Google engineers to add some kind of mechanism to Chrome that can halt alt-coin miners. While there's nothing wrong with informed and careful use of coin-mining software on webpages – it is supposed to be an alternative way for webmasters to earn money besides adverts – the quickly increasing scale of crypto-jacking suggests that such blocking measures will have to be taken in browsers to curb the menace of CPU-cycle thieves. ®
Sponsored: Becoming a Pragmatic Security Leader