Page 1 of 1
Posted: Wed Nov 22, 2017 5:24 pm
https://www.theregister.co.uk/2017/11/2 ... coin_hive/
Crypto-jackers enlist Google Tag Manager to smuggle alt-coin miners
Ad giant has malware detection in its script-hosting service... but Coin Hive isn't flagged
Posted: Thu Nov 30, 2017 12:17 pm
Persistent drive-by cryptomining coming to a browser near you
https://blog.malwarebytes.com/cybercrim ... -near-you/
Cryptominer in Chrome Extension
Posted: Sun Dec 31, 2017 8:59 pm
An extension named Archive Poster
which advertises itself as a Tumblr enhancer/mod
has been caught using the browsers of its users to mine the cryptocurrency Monero. It appears that the code to mine crytocurrency was added at the start of December and uses the Coinhive miner. It did this surreptitiously without informing the users. The extension has over a 100,000 users
so the scale is quite big.
Users have been reporting this extension to Google since a month now but no action has been taken.
Many other extensions have also been subject to phishing attacks this year some of these were also hijacked and adware code was added to them.
This is one of the reasons why I don't use many extensions (along with the reason that they slow down the browser) and why you should probably go for open source ones.
Archive Poster extension (the URL results in a 404 now, looks like the extension has been removed)
Code: Select all
Code: Select all
This incident pretty summarizes what has been happening this past year, i.e., malware ads on a high rise and cryptominers making a huge wave in the past few months.
This reminds me, have a great year ahead guys and Happy New Year, 2018
Posted: Sun Dec 31, 2017 9:30 pm
Posted: Sun Dec 31, 2017 10:51 pm
Looks like the extension was removed by the developers themselves:
Code: Select all
Google took no action even after repeated complaints seems like they don't have a policy to ban cryptojacking/cryptomining extensions. I would suggest everyone to be extremely cautious when installing an extension these days it could likely turn out to be like this.
Extension developers are the target of attack these days and should be careful as well @gorhill
Posted: Sun Dec 31, 2017 11:30 pm
One of the reasons to use the uBlock Privacy list, Google Tag Manager is completely blocked through that.
While shady websites (like streaming. downloads, torrents etc.) employ these cryptojackers on their own the instances of cryptojackers on major websites seem to be done by hackers on the look out for compromised websites via third-party addons, libraries etc. (according to the article).
I hope you stay safe out there, might be that some Cloudflare addons are affected as well. Probably stay on the lookout for phishing attacks as well they are getting even more prominent nowadays.
Posted: Mon Jan 01, 2018 10:07 am
gotitbro wrote: ↑
Sun Dec 31, 2017 11:30 pm
@Lanik I hope you stay safe out there, might be that some Cloudflare addons are affected as well. Probably stay on the lookout for phishing attacks as well they are getting even more prominent nowadays.
Thanks for your concern, but this isn't my first rodeo.
Posted: Mon Jan 01, 2018 2:15 pm
Crypto miners need web-workers to mine successfully. uMatrix is now able to shutdown that API via a new switch introduced in the dev version by Gorhill. You can also use a CSP filter if you're on uBO and restrict the worker-src
Posted: Sat Jan 27, 2018 7:15 pm
Google ads on YouTube were caught serving Coinhive JS to mine cryptocurrency. Google says they have fixed the issue but it seems cryptojackers will be seen in other ads/ad networks now.
This will only increase the cryptojacker epidemic as serving them through ads is much easier than gaining to a website and then adding the code.
Posted: Sun Jan 28, 2018 3:23 pm
Google ads on YouTube were caught serving Coinhive JS to mine cryptocurrency.
They said the attackers behind the ads were abusing Google's DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain.
That's the key info they add to their blog post hidden somewhere in the middle. Google itself would never resort to such short term gimicks.
Posted: Mon Jan 29, 2018 5:49 am
@-Mark- Yes, I meant the ads served by Google/Doubleclick not ads of Google itself. Should've used better phrasing.
Posted: Tue Feb 13, 2018 11:56 pm
Someone tried to inject Coinhive in iTunes
by putting the cryptojacking script in podcast names. Wonder how it got past Apple's security checks.
Its not working, i.e., it does not mine/activate Coinhive but here is the podcast with the cryptojacking podcast names:
Here is a list of other sites that have been injected with the same Coinhive sitekey
Code: Select all
Posted: Wed Feb 14, 2018 10:04 pm
Even government websites have been hacked and injected with Coinhive
Govt. websites of US, UK, Australia that were using the text-to-speech plugin Browsealoud were injected with the Coinhive cryptojacker. The Browsealoud plugin was hacked and and cryptojacking code was added to its JS files. So any website that used the plugin (seems like many govt. websites do) were injected with Coinhive.
Texthelp which makes the plugin says the issue has been fixed but the Browsealoud plugin was taken down for sometime to remove the cryptojacking code. This cryptojacking trend shows no signs of stopping better be vigilant these days.
Posted: Thu Feb 15, 2018 8:08 am
This sounds more intensional considering it's going too rampant. I highly doubt those websites getting hacked so easily.
Posted: Thu Feb 15, 2018 1:12 pm
-Mark- wrote: ↑
Thu Feb 15, 2018 8:08 am
I highly doubt those websites getting hacked so easily.
Looking at the news many of these hacked websites are being infected via compromised plugins (especially on Wordpress) and scripts. It seems like it is not the hacking that has increased but that the hackers have found an easy way to monetize from this.
Coinhive has also joined Twitter to answer some of the questions regarding unauthorized usage. For example, in the iTunes case above only Coinhive's client side JS is being used but the mining pool it connects to is different. The hackers in such cases maybe using open-source projects such as https://github.com/cazala/coin-hive-stratum
Posted: Thu Feb 22, 2018 1:58 pm
Posted: Thu Feb 22, 2018 11:37 pm
Yes, the first time I noticed a cryptojacking script (Coinhive) was on a video streaming site that was before adblockers started blocking them.
While it is true that most of the sites are using their own self hosted solutions they still load Coinhive's client side mining script. So if you are using an adblocker or antivirus you should be safe.
PS: Adguard's blog is pretty dope.
Posted: Mon Apr 02, 2018 5:15 pm
Posted: Wed Apr 04, 2018 8:39 pm
That's good but the major source for cryptojacking are compromised websites not the extensions.
Also it looks like the cryptojacking is dying out, haven't seen any website like that recently.