Cryptojacking

Discussion of topics related to ad blocking.

Moderator: EasyList Authors

Post Reply
intense
Contributor
Contributor
Posts: 7814
Joined: Wed Mar 27, 2013 9:56 am
Reputation: 114

Cryptojacking

Post by intense » Wed Nov 22, 2017 5:24 pm

https://www.theregister.co.uk/2017/11/2 ... coin_hive/

Crypto-jackers enlist Google Tag Manager to smuggle alt-coin miners
Ad giant has malware detection in its script-hosting service... but Coin Hive isn't flagged

intense
Contributor
Contributor
Posts: 7814
Joined: Wed Mar 27, 2013 9:56 am
Reputation: 114

Post by intense » Thu Nov 30, 2017 12:17 pm

Persistent drive-by cryptomining coming to a browser near you

https://blog.malwarebytes.com/cybercrim ... -near-you/

gotitbro
Postaholic
Postaholic
Posts: 854
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 5

Post by gotitbro » Sun Dec 31, 2017 8:59 pm

An extension named Archive Poster which advertises itself as a Tumblr enhancer/mod has been caught using the browsers of its users to mine the cryptocurrency Monero. It appears that the code to mine crytocurrency was added at the start of December and uses the Coinhive miner. It did this surreptitiously without informing the users. The extension has over a 100,000 users so the scale is quite big.

Users have been reporting this extension to Google since a month now but no action has been taken.

Many other extensions have also been subject to phishing attacks this year some of these were also hijacked and adware code was added to them.

This is one of the reasons why I don't use many extensions (along with the reason that they slow down the browser) and why you should probably go for open source ones.

Archive Poster extension (the URL results in a 404 now, looks like the extension has been removed):

Code: Select all

https://chrome.google.com/webstore/detail/archive-poster/ceakpicibkmdilicebgddflnfbpmcpgd/
H/T:

Code: Select all

https://www.bleepingcomputer.com/news/security/chrome-extension-with-100-000-users-caught-pushing-cryptocurrency-miner/
This incident pretty summarizes what has been happening this past year, i.e., malware ads on a high rise and cryptominers making a huge wave in the past few months.


This reminds me, have a great year ahead guys and Happy New Year, 2018 :banana:.

intense
Contributor
Contributor
Posts: 7814
Joined: Wed Mar 27, 2013 9:56 am
Reputation: 114

Post by intense » Sun Dec 31, 2017 9:30 pm


gotitbro
Postaholic
Postaholic
Posts: 854
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 5

Post by gotitbro » Sun Dec 31, 2017 10:51 pm

Looks like the extension was removed by the developers themselves:

Code: Select all

https://productforums.google.com/forum/#!topic/chrome/b0JUzg4HYtI
Google took no action even after repeated complaints seems like they don't have a policy to ban cryptojacking/cryptomining extensions. I would suggest everyone to be extremely cautious when installing an extension these days it could likely turn out to be like this.

Extension developers are the target of attack these days and should be careful as well @gorhill.

gotitbro
Postaholic
Postaholic
Posts: 854
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 5

Post by gotitbro » Sun Dec 31, 2017 11:30 pm

intense wrote:
Wed Nov 22, 2017 5:24 pm
https://www.theregister.co.uk/2017/11/2 ... coin_hive/

Crypto-jackers enlist Google Tag Manager to smuggle alt-coin miners
Ad giant has malware detection in its script-hosting service... but Coin Hive isn't flagged
One of the reasons to use the uBlock Privacy list, Google Tag Manager is completely blocked through that.

While shady websites (like streaming. downloads, torrents etc.) employ these cryptojackers on their own the instances of cryptojackers on major websites seem to be done by hackers on the look out for compromised websites via third-party addons, libraries etc. (according to the article).

@Lanik I hope you stay safe out there, might be that some Cloudflare addons are affected as well. Probably stay on the lookout for phishing attacks as well they are getting even more prominent nowadays.

User avatar
Lanik
Site Owner
Site Owner
Posts: 1490
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 25
Location: /dev/null

Post by Lanik » Mon Jan 01, 2018 10:07 am

gotitbro wrote:
Sun Dec 31, 2017 11:30 pm
@Lanik I hope you stay safe out there, might be that some Cloudflare addons are affected as well. Probably stay on the lookout for phishing attacks as well they are getting even more prominent nowadays.
Thanks for your concern, but this isn't my first rodeo.
"If it ain't broke don't fix it."

-Mark-
Postaholic
Postaholic
Posts: 359
Joined: Tue Jul 05, 2016 7:46 pm
Reputation: 16

Post by -Mark- » Mon Jan 01, 2018 2:15 pm

Crypto miners need web-workers to mine successfully. uMatrix is now able to shutdown that API via a new switch introduced in the dev version by Gorhill. You can also use a CSP filter if you're on uBO and restrict the worker-src values.

gotitbro
Postaholic
Postaholic
Posts: 854
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 5

Post by gotitbro » Sat Jan 27, 2018 7:15 pm

So even ads are now serving crypto-mining JavaScript. We have heard websites implement or being hacked to crypto-mine, this being done through ads seems to be fairly new.

Google ads on YouTube were caught serving Coinhive JS to mine cryptocurrency. Google says they have fixed the issue but it seems cryptojackers will be seen in other ads/ad networks now.

This will only increase the cryptojacker epidemic as serving them through ads is much easier than gaining to a website and then adding the code.

Source: https://arstechnica.com/information-technology/2018/01/now-even-youtube-serves-ads-with-cpu-draining-cryptocurrency-miners/

-Mark-
Postaholic
Postaholic
Posts: 359
Joined: Tue Jul 05, 2016 7:46 pm
Reputation: 16

Post by -Mark- » Sun Jan 28, 2018 3:23 pm

Google ads on YouTube were caught serving Coinhive JS to mine cryptocurrency.
They said the attackers behind the ads were abusing Google's DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain.
That's the key info they add to their blog post hidden somewhere in the middle. Google itself would never resort to such short term gimicks.

gotitbro
Postaholic
Postaholic
Posts: 854
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 5

Post by gotitbro » Mon Jan 29, 2018 5:49 am

@-Mark- Yes, I meant the ads served by Google/Doubleclick not ads of Google itself. Should've used better phrasing.

gotitbro
Postaholic
Postaholic
Posts: 854
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 5

Post by gotitbro » Tue Feb 13, 2018 11:56 pm

Someone tried to inject Coinhive in iTunes by putting the cryptojacking script in podcast names. Wonder how it got past Apple's security checks.

Its not working, i.e., it does not mine/activate Coinhive but here is the podcast with the cryptojacking podcast names:
https://itunes.apple.com/us/podcast/k6.revue/id269035643?mt=2

Here is a list of other sites that have been injected with the same Coinhive sitekey

Code: Select all

https://publicwww.com/websites/49dVbbCFDuhg9nX5u1MDuATVZj7gQehytZwvXEUuWg9kfhNPWH7bUD87VW1NfjqucRZNNVTb1AHGUK2fkq5Nd55mLNnB4WK/
Source: https://twitter.com/fs0c131y/status/963341838462717952

gotitbro
Postaholic
Postaholic
Posts: 854
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 5

Post by gotitbro » Wed Feb 14, 2018 10:04 pm

Even government websites have been hacked and injected with Coinhive

Govt. websites of US, UK, Australia that were using the text-to-speech plugin Browsealoud were injected with the Coinhive cryptojacker. The Browsealoud plugin was hacked and and cryptojacking code was added to its JS files. So any website that used the plugin (seems like many govt. websites do) were injected with Coinhive.

Texthelp which makes the plugin says the issue has been fixed but the Browsealoud plugin was taken down for sometime to remove the cryptojacking code. This cryptojacking trend shows no signs of stopping better be vigilant these days.

https://www.theguardian.com/technology/2018/feb/12/cryptojacking-attack-hits-australian-government-websites

-Mark-
Postaholic
Postaholic
Posts: 359
Joined: Tue Jul 05, 2016 7:46 pm
Reputation: 16

Post by -Mark- » Thu Feb 15, 2018 8:08 am

This sounds more intensional considering it's going too rampant. I highly doubt those websites getting hacked so easily.

gotitbro
Postaholic
Postaholic
Posts: 854
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 5

Post by gotitbro » Thu Feb 15, 2018 1:12 pm

-Mark- wrote:
Thu Feb 15, 2018 8:08 am
I highly doubt those websites getting hacked so easily.
Looking at the news many of these hacked websites are being infected via compromised plugins (especially on Wordpress) and scripts. It seems like it is not the hacking that has increased but that the hackers have found an easy way to monetize from this.

Coinhive has also joined Twitter to answer some of the questions regarding unauthorized usage. For example, in the iTunes case above only Coinhive's client side JS is being used but the mining pool it connects to is different. The hackers in such cases maybe using open-source projects such as https://github.com/cazala/coin-hive-stratum that describes itself as "use CoinHive's JavaScript miner on any stratum pool".

https://twitter.com/BullTechno/status/963905213131354112


gotitbro
Postaholic
Postaholic
Posts: 854
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 5

Post by gotitbro » Thu Feb 22, 2018 11:37 pm

Yes, the first time I noticed a cryptojacking script (Coinhive) was on a video streaming site that was before adblockers started blocking them.

While it is true that most of the sites are using their own self hosted solutions they still load Coinhive's client side mining script. So if you are using an adblocker or antivirus you should be safe.

PS: Adguard's blog is pretty dope.

intense
Contributor
Contributor
Posts: 7814
Joined: Wed Mar 27, 2013 9:56 am
Reputation: 114

Post by intense » Mon Apr 02, 2018 5:15 pm


gotitbro
Postaholic
Postaholic
Posts: 854
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 5

Post by gotitbro » Wed Apr 04, 2018 8:39 pm

That's good but the major source for cryptojacking are compromised websites not the extensions.

Also it looks like the cryptojacking is dying out, haven't seen any website like that recently.

Post Reply