EasyList Forum

https://www.theregister.co.uk/2017/11/2 ... coin_hive/

Crypto-jackers enlist Google Tag Manager to smuggle alt-coin miners
Ad giant has malware detection in its script-hosting service... but Coin Hive isn't flagged

Persistent drive-by cryptomining coming to a browser near you

https://blog.malwarebytes.com/cybercrim ... -near-you/

An extension named Archive Poster which advertises itself as a Tumblr enhancer/mod has been caught using the browsers of its users to mine the cryptocurrency Monero. It appears that the code to mine crytocurrency was added at the start of December and uses the Coinhive miner. It did this surreptitiously without informing the users. The extension has over a 100,000 users so the scale is quite big.

Users have been reporting this extension to Google since a month now but no action has been taken.

Many other extensions have also been subject to phishing attacks this year some of these were also hijacked and adware code was added to them.

This is one of the reasons why I don't use many extensions (along with the reason that they slow down the browser) and why you should probably go for open source ones.

Archive Poster extension (the URL results in a 404 now, looks like the extension has been removed): H/T: This incident pretty summarizes what has been happening this past year, i.e., malware ads on a high rise and cryptominers making a huge wave in the past few months.


This reminds me, have a great year ahead guys and Happy New Year, 2018 .

Looks like the extension was removed by the developers themselves: Google took no action even after repeated complaints seems like they don't have a policy to ban cryptojacking/cryptomining extensions. I would suggest everyone to be extremely cautious when installing an extension these days it could likely turn out to be like this.

Extension developers are the target of attack these days and should be careful as well [mention]gorhill[/mention].

intense wrote: ↑Wed Nov 22, 2017 5:24 pm https://www.theregister.co.uk/2017/11/2 ... coin_hive/

Crypto-jackers enlist Google Tag Manager to smuggle alt-coin miners
Ad giant has malware detection in its script-hosting service... but Coin Hive isn't flagged

One of the reasons to use the uBlock Privacy list, Google Tag Manager is completely blocked through that.

While shady websites (like streaming. downloads, torrents etc.) employ these cryptojackers on their own the instances of cryptojackers on major websites seem to be done by hackers on the look out for compromised websites via third-party addons, libraries etc. (according to the article).

[mention]Lanik[/mention] I hope you stay safe out there, might be that some Cloudflare addons are affected as well. Probably stay on the lookout for phishing attacks as well they are getting even more prominent nowadays.

gotitbro wrote: ↑Sun Dec 31, 2017 11:30 pm @Lanik I hope you stay safe out there, might be that some Cloudflare addons are affected as well. Probably stay on the lookout for phishing attacks as well they are getting even more prominent nowadays.

Thanks for your concern, but this isn't my first rodeo.

Crypto miners need web-workers to mine successfully. uMatrix is now able to shutdown that API via a new switch introduced in the dev version by Gorhill. You can also use a CSP filter if you're on uBO and restrict the worker-src values.

So even ads are now serving crypto-mining JavaScript. We have heard websites implement or being hacked to crypto-mine, this being done through ads seems to be fairly new.

Google ads on YouTube were caught serving Coinhive JS to mine cryptocurrency. Google says they have fixed the issue but it seems cryptojackers will be seen in other ads/ad networks now.

This will only increase the cryptojacker epidemic as serving them through ads is much easier than gaining to a website and then adding the code.

Source: https://arstechnica.com/information-technology/2018/01/now-even-youtube-serves-ads-with-cpu-draining-cryptocurrency-miners/

Google ads on YouTube were caught serving Coinhive JS to mine cryptocurrency.

They said the attackers behind the ads were abusing Google's DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain.

That's the key info they add to their blog post hidden somewhere in the middle. Google itself would never resort to such short term gimicks.

[mention]-Mark-[/mention] Yes, I meant the ads served by Google/Doubleclick not ads of Google itself. Should've used better phrasing.

Someone tried to inject Coinhive in iTunes by putting the cryptojacking script in podcast names. Wonder how it got past Apple's security checks.

Its not working, i.e., it does not mine/activate Coinhive but here is the podcast with the cryptojacking podcast names:
https://itunes.apple.com/us/podcast/k6.revue/id269035643?mt=2

Here is a list of other sites that have been injected with the same Coinhive sitekey Source: https://twitter.com/fs0c131y/status/963341838462717952

Even government websites have been hacked and injected with Coinhive

Govt. websites of US, UK, Australia that were using the text-to-speech plugin Browsealoud were injected with the Coinhive cryptojacker. The Browsealoud plugin was hacked and and cryptojacking code was added to its JS files. So any website that used the plugin (seems like many govt. websites do) were injected with Coinhive.

Texthelp which makes the plugin says the issue has been fixed but the Browsealoud plugin was taken down for sometime to remove the cryptojacking code. This cryptojacking trend shows no signs of stopping better be vigilant these days.

https://www.theguardian.com/technology/2018/feb/12/cryptojacking-attack-hits-australian-government-websites

This sounds more intensional considering it's going too rampant. I highly doubt those websites getting hacked so easily.

-Mark- wrote: ↑Thu Feb 15, 2018 8:08 am I highly doubt those websites getting hacked so easily.

Looking at the news many of these hacked websites are being infected via compromised plugins (especially on Wordpress) and scripts. It seems like it is not the hacking that has increased but that the hackers have found an easy way to monetize from this.

Coinhive has also joined Twitter to answer some of the questions regarding unauthorized usage. For example, in the iTunes case above only Coinhive's client side JS is being used but the mining pool it connects to is different. The hackers in such cases maybe using open-source projects such as https://github.com/cazala/coin-hive-stratum that describes itself as "use CoinHive's JavaScript miner on any stratum pool".

https://twitter.com/BullTechno/status/963905213131354112

Top Cryptojackers are video streaming websites, and they do not use CoinHive

Crypto-Streaming Strikes Back

Tweak to Chrome Performance Will Indirectly Stifle Cryptojacking Scripts

intense wrote: ↑Thu Feb 22, 2018 1:58 pm Top Cryptojackers are video streaming websites, and they do not use CoinHive

Yes, the first time I noticed a cryptojacking script (Coinhive) was on a video streaming site that was before adblockers started blocking them.

While it is true that most of the sites are using their own self hosted solutions they still load Coinhive's client side mining script. So if you are using an adblocker or antivirus you should be safe.

PS: Adguard's blog is pretty dope.

That's good but the major source for cryptojacking are compromised websites not the extensions.

Also it looks like the cryptojacking is dying out, haven't seen any website like that recently.

The End of Cryptojacking?

The Mozilla Foundation announced on August 30 that future versions of its Firefox browser will block crypto-related malware. The move is part of its anti-tracking initiative which was began in 2016.

Check here info: https://coinpedia.org/news/firefox-upgr ... g-malware/

Mozilla Adding CryptoMining and Fingerprint Blocking to Firefox

https://www.bleepingcomputer.com/news/s ... o-firefox/

https://www.ghacks.net/2019/02/05/firef ... rotection/

Firefox 67: Cryptomining and Fingerprinting protection