Cryptojacking is Everywhere, It's Getting Worse Each Day

[monkeymagick]

Excuse the scaremongering, but Bleeping Computer reports that the internet is now full of in-browser mining scripts with no slow down in sight. Previously reporting on the influx of cryptominers ever since Coinhive launched in mid-September, the amount of clones have increased and has spread to its victims like a diseased hooker unto unsuspecting Johns.

From research on the topic, in-browser miners are usually deployed on questionable websites, such as piracy portals, illegal streaming services, adult portals, and others. A study by Palo Alto of over 1,000 sites engaged in cryptojacking found that 35% of these sites were hosted on .download and .bid domains.

Not only embedded in a hi-jacked website's code, malicious ads have found their way into ad servers and also WordPress plugins.

It is crystal clear that malware authors found their next payday in Coinhive. The next place Bleeping Computer expects to see Coinhive deployed next is adware, and especially the type of adware that hijacks search fields and inserts ads into search results.

 

[B00nie]

Make cryptocurrency illegal already. It's used only for crime.

 

[Spidey329]

Make cryptocurrency illegal already. It's used only for crime.

Lol.

 

[prime2515102]

NoScript is yer friend.

 

[STrAYeR]

Spreading like zombies. This is the exact reason I got anti-miner add-ons.

 

[BulletDust]

NoScript is yer friend.

NoScript's great if you wanna see half a website.

Edit the hosts file, make the miners point to the localhost.

 

[DTN107]

I think my regular porn sites are doing it as well.

 

[Kdawg]

I think my regular porn sites are doing it as well.

yes, one site that uploads lots of FHD and 4k porn is running a miner. I block that shit with noscript, and temp unblock when I want to grab the download links.

NoScript's great if you wanna see half a website.

Edit the hosts file, make the miners point to the localhost.

my firefox ignores my hosts file. I think Chrome ignores it as well.
it used to work ages ago, but recently noticed that it doesn't do shit when i try to add spam sites to my hosts.

so i manually whitelist in noscript until i see enough of the website.

 

[BulletDust]

yes, one site that uploads lots of FHD and 4k porn is running a miner. I block that shit with noscript, and temp unblock when I want to grab the download links.





my firefox ignores my hosts file. I think Chrome ignores it as well.
it used to work ages ago, but recently noticed that it doesn't do shit when i try to add spam sites to my hosts.

so i manually whitelist in noscript until i see enough of the website.

I'm running Firefox Quantum 57.0b9 and I can assure you that when it comes to cryptojacking, it's not ignoring the hosts file.

Having said that, I do run Linux. Windows 10 in general probably ignores the hosts file because that'd be giving the end user too much control.

 

[B00nie]

I'm running Firefox Quantum 57.0b9 and I can assure you that when it comes to cryptojacking, it's not ignoring the hosts file.

Having said that, I do run Linux. Windows 10 in general probably ignores the hosts file because that'd be giving the end user too much control.

Like blocking MS updates, ads and telemetry

 

[Pieter3dnow]

This is worrying somewhat

Disabling JavaScript is not an option, since most sites these days rely on it and most W3C APIs do too.

 

[knowom]

NoScript is yer friend.

Yeah unfortunately it's not really supported yet in FF57.

 

[rudedog]

If a site is upfront and notifies you what they are doing, I'm fine with that. As well as only running when said tab/page is in focus, this could be much better then ad infested pages. Sites with heavy ads all over the place are already taking up CPU and bandwidth. At least this would only take up unused CPU cycles while you sit there reading a site. It does not eat any bandwidth other then the original small script loading.

It could help sites like [H] to receive more revenue then old school ads. The longer you stick around the more money the site can make.

Again be upfront with your users, this could revolutionize how sites monetize themselves.

 

[prime2515102]

If a site is upfront and notifies you what they are doing, I'm fine with that. As well as only running when said tab/page is in focus, this could be much better then ad infested pages. Sites with heavy ads all over the place are already taking up CPU and bandwidth. At least this would only take up unused CPU cycles while you sit there reading a site. It does not eat any bandwidth other then the original small script loading.

It could help sites like [H] to receive more revenue then old school ads. The longer you stick around the more money the site can make.

Again be upfront with your users, this could revolutionize how sites monetize themselves.

It's also a sneaky way to charge people money (in the form of a higher electric bill) for using a site. I'm sure most people here would be well aware of this, but the average joe would likely be oblivious.

 

[Putz]

malwarebytes just blocks anything to do with the site, wish the monopoly money fad would die off

 

[prime2515102]

Windows 10 in general probably ignores the hosts file because that'd be giving the end user too much control.

I'm pretty sure Spybot Search and Destroy still uses the hosts file for immunization, and it supports Win10, so I would guess not.

 

[rudedog]

It's also a sneaky way to charge people money (in the form of a higher electric bill) for using a site. I'm sure most people here would be well aware of this, but the average joe would likely be oblivious.

I bet for the time spent on a web site like this you would not even see the difference on your electric bill. Again you need to let your clients know what you are doing and not be sneaky about it. I currently pay 11.42 cents per kWh. I bet my Synology NAS costs more to record my video camera data then it would cost to help a bunch of known good web site out where ad revenue has tanked year over year.

Again I agree don't be sneaky about it, be up front. I just checked out two site and my CPU went to about 52%, had no effect on anything else (photoshop, sketchup, 3DS (slicer for 3Dprinter) all running under load at the same time, without noticeable effect on other programs. What I did notice, is the CPU stayed at 50% when that tab or FF windows was not the one in focus,which I don't agree with.

There's got to be a better way for sites to support themselves without going full paywall or donations and not be intrusive.

 

[prime2515102]

Well that's not so bad then. I thought it would pin all cores at 100% or something.

 

[Sikkyu]

Make cryptocurrency illegal already. It's used only for crime.

just hand over your guns, they are only used for crime.

How ignorant is this statement?

 

[Vermillion]

This is actually a very interesting conundrum. Technically there is no security issue here so this actually could be used for good instead of the shady ass way it's being used for. Javascript is javascript and it's already running on every page we visit. So why not be open about it and offer it as a way for people to help a website monetize and not need ads?

For example the [H] could give you the option to either see ads or run mining javascript in the background. It's not going to obliterate your laptop battery or anything. It's not going to raise your power bill. Win-win if you ask me.

 

[Axiomatic]

Honestly, I would prefer that companies use my CPU for mining than me having to view the advertisements? I definitely do not like the double dipping though. Both mining and advertisements are not ok. I envision a world where I get a choice? Not joking either. If they got to use 1% of my CPU, that is worth it to me to not have to see the advertisements.

 

[knowom]

just hand over your guns, they are only used for crime.

How ignorant is this statement?

Which part of it...it's hard to imagine people still use guns to hunt with outside of the sanctuaries of high rise buildings in the cities where animal life still exists on this planet.

 

[OnceSetThisCannotChange]

Honestly, I would prefer that companies use my CPU for mining than me having to view the advertisements? I definitely do not like the double dipping though. Both mining and advertisements are not ok. I envision a world where I get a choice? Not joking either. If they got to use 1% of my CPU, that is worth it to me to not have to see the advertisements.

Even better make this into a slider (1-25% CPU usage) and to top it off give some cookies to users who are large supporters.

It's a win-win-win, choice, no ads and $$$.

 

[travisty]

just hand over your guns, they are only used for crime.

I'd love it if the US required people to justify buying a gun.

Buying a hunting rifle:
I like to go hunting
Ok!

Buying an assault rifle:
I like to go hunting.
Nope!

Buying a handgun:
I want to protect myself
Ok!

Buying a 3rd handgun:
I want to protect myself
Umm... don't you already have two guns? Why do you need a thrird?

 

[Sikkyu]

I'd love it if the US required people to justify buying a gun.

Buying a hunting rifle:
I like to go hunting
Ok!

Buying an assault rifle:
I like to go hunting.
Nope!

Buying a handgun:
I want to protect myself
Ok!

Buying a 3rd handgun:
I want to protect myself
Umm... don't you already have two guns? Why do you need a thrird?

again, pretty uninformed every way.

 

[zkostik]

Even better make this into a slider (1-25% CPU usage) and to top it off give some cookies to users who are large supporters.

It's a win-win-win, choice, no ads and $$$.

Except this is designed for malicious mining. Most folks who know anything about cryptocurrency or security will want this crap disabled. I would not allow this on any of my systems under any circumstances.

 

[travisty]

again, pretty uninformed every way.

And you lack the ability to critically think - thus what makes sense is over your head

 

[Vermillion]

Except this is designed for malicious mining. Most folks who know anything about cryptocurrency or security will want this crap disabled. I would not allow this on any of my systems under any circumstances.

It doesn't have to be malicious. Cryptojacking like in the original article is one thing but offering crypto mining as an alternative to ads is completely different. The key is transparency. Just be very open about the cryptomining option. It would work. I'd do it for the [H] in a heartbeat.

 

[OnceSetThisCannotChange]

Except this is designed for malicious mining. Most folks who know anything about cryptocurrency or security will want this crap disabled. I would not allow this on any of my systems under any circumstances.

Sure, cryptojacking is malicious as it's intended to be hidden, but more or less the same setup, if offered as an open choice to readers/users would be a legit way to replace ads.

 

[zkostik]

It doesn't have to be malicious. Cryptojacking like in the original article is one thing but offering crypto mining as an alternative to ads is completely different. The key is transparency. Just be very open about the cryptomining option. It would work. I'd do it for the [H] in a heartbeat.

My chief issue and concern is that it's designed to mine in the browser without installing anything, agreeing to anything, pretty much you load some page and it uses my hardware, internet, electricity to mine. That is NOT how I envision support for ANY site. You start giving into this sort of crap and it will get abused to help like you're already seeing. You can also forget about visiting such sites at work at it will raise red flags right off the bat. Trust me, this was not a nice helping hand effort to bring easy mining to the masses. This is to allow malicious mining on as many devices as possible including IoT without users knowing. And well, it's spreading like wildfire!

 

[SomeoneElse]

I'd love it if the US required people to justify buying a gun.

Buying an assault rifle:
I like to go hunting.
Nope!

You realize there is no such thing as an "assault rifle" correct? This is a arbitrary name that the government made up to regulate sales of weapons. A hunting rifle and assault rifle shoot the same caliber as the other. They also can be bolt or semi-auto. I use an AR-15 for varmint hunting (coyotes, prairie dogs, and other pest animals.)
Should probably stay on topic though.
We are talking about cryptocurrency not guns. The government says its only used for crime but alot of major companies are starting to accept bitcoins as payment. Is that a crime if they do?

 

[ob1]

I see a few issues with here, with one being, generally while we are slightly more computer savvy than the a typical user, some of us have kids, wives, family, etc that can be difficult to monitor/control and these things will affect them more than a typical [H] user. The next thing I see is that it is getting so common so fast, when will youtube or google enable these functions? Or the browser creators themselves. Will it be a problem then? Could this be enabled by internet providers? Stuff like that...

 

[knowom]

It doesn't have to be malicious. Cryptojacking like in the original article is one thing but offering crypto mining as an alternative to ads is completely different. The key is transparency. Just be very open about the cryptomining option. It would work. I'd do it for the [H] in a heartbeat.

Cryptocurrency mining I have a bridge to sell you...just make a donation it's easier and it won't degrade your system parts any in the process nor contribute to that whole global warming carbon footprint thing alarmists are so worried about nor to landfills if you are buying cards intentionally for such purposes. They have these things called alternative energies too btw where you can harvest energy for free which saves/makes money funny how crypotocurrency mining is more popular than Solyndra.

 

[OnceSetThisCannotChange]

Well... this is why it should be a choice >>> you continue to use the sites/browsers which present this as a choice to the users to turn on or not.

Ultimately there will be blockers for this as there are for ads, but those will not be necessary for sites which are open about this program.

In my case, I'd much rather be mining for sites I visit (with a legit option) than be fed all sort of ad based garbage as we currently are.

 

[Emission]

Haven't had any issues using Opera's built-in ad blocker.

 

[knowom]

Should be a choice, but is it now? Which is the point. Adwords should be a choice as well, but it's mostly isn't because a lot of web sites these days get all pissy if they aren't making free residual income. It's amazing the internet and websites ever worked at all prior to Adword's plastered in 40 spots on every page. It's reached the point to where it's virtually necessary at this point to setup a home proxy server, but it's a technical hurdle and hassle so most people don't and won't. I'm tech savvy enough and could, but haven't bothered setting up a actual dedicated PC router/proxy yet because winter is coming and reasons which is ironic because if I lost internet connection for a few hours at least with a proxy I'd still have cached web pages to view.

 

[Vermillion]

My chief issue and concern is that it's designed to mine in the browser without installing anything, agreeing to anything, pretty much you load some page and it uses my hardware, internet, electricity to mine. That is NOT how I envision support for ANY site. You start giving into this sort of crap and it will get abused to help like you're already seeing. You can also forget about visiting such sites at work at it will raise red flags right off the bat. Trust me, this was not a nice helping hand effort to bring easy mining to the masses. This is to allow malicious mining on as many devices as possible including IoT without users knowing. And well, it's spreading like wildfire!

And they're already using your hardware, internet, and electricity to show you a bunch of video playing ads, flash bullshit, and overlays that interrupt the content you want to read. Now they would just be using it in a different way that stays out of your way and isn't using your computer anymore than those shitty ads did.

Things like uBlock, ABP, and others already block the cryptojacking but wouldn't it be nice to whitelist a site and not have ads but still allow them to monetize in some way? Look I'm not saying this will ever happen. It'll be abused just like ads are. Let's face facts though. Adblocking is getting worse. More and more paywalls are going up. We've seen close up here at the [H] how adblocking hurts content providers. I'm more than willing to look at other ways to monetize. The biggest issue with crypto-mining via javascript is transparency and that can be done well. This could be a very viable alternative to traditional ads. There's no denying that, but a site that gives their users the option to do this needs to be 100% committed to the transparency piece that needs to be done. If you fail with the transparency then the whole thing fails and is no better than the cryptojacking in the original article.

EDIT: Good chance it all just dies and we all stick with ads. Google apparently looking at killing off browser crypto-mining period. https://www.bleepingcomputer.com/ne...ion-to-stop-in-browser-cryptocurrency-miners/

 

[katanaD]

like a diseased hooker unto unsuspecting Johns.

man.. that just felt like there is a personal story behind that reference..

hahahaha

 

[Ocean]

i would have no problem if hardforum used 5-25% of my desktop cpu/gpu to mine cryptocurrency while im on the site. i want this to be the way that websites pay their content creators internet-wide.

i want it built into browsers, and adjustable. I want clicks and page views as a metric to die in a fire for the shitty clickbait content they create on the internet. i want time spent on websites and webpages to be the measure of value.

 

[rudedog]

Should be a choice, but is it now? Which is the point. Adwords should be a choice as well, but it's mostly isn't because a lot of web sites these days get all pissy if they aren't making free residual income. It's amazing the internet and websites ever worked at all prior to Adword's plastered in 40 spots on every page. It's reached the point to where it's virtually necessary at this point to setup a home proxy server, but it's a technical hurdle and hassle so most people don't and won't. I'm tech savvy enough and could, but haven't bothered setting up a actual dedicated PC router/proxy yet because winter is coming and reasons which is ironic because if I lost internet connection for a few hours at least with a proxy I'd still have cached web pages to view.

So what you're saying is you would rather have sites like this, sit behind a pay wall? You would have to pay to visit/view a site. This site like many, including my own forums/site require server and interconnect fees. Believe it or not, sites cost money to run