Cryptocurrency mining is currently all the rage and cybercriminals have been quick to hop onto the bandwagon. While it is not illegal to mine cryptocurrency in most countries, threat actors have been deploying malware and slipping in scripts designed to hijack the resources of end users’ computers to secretly mine digital currencies, without their knowledge or consent.
Coinhive is one cryptomining service that has been in the limelight for being involved in multiple cryptojacking incidents and has since shot to the top of security threat lists less than a year after its debut.
Launched in September 2017, the browser-based cryptocurrency mining service was touted as an alternative way for websites to generate revenue, perhaps as a replacement to advertising.
Monero is also a more stealthy, privacy-centric cryptocurrency making it an attractive option for cybercriminals to hide the money trail as opposed to the more well-known Bitcoin where transactions are often more closely monitored by law enforcement agencies.
Coinhive’s intensive mining process drains CPU power, significantly impacts the machine’s performance and guzzles electricity, often without their knowledge or express consent.
Meanwhile, the generate digital currencies go directly to the owner’s wallet. The owner takes a 70% share of the profits while Coinhive takes the rest of the pie.
The easy-to-use service became an instant hit as cryptomining becomes a gold rush of sorts. It was also almost immediately abused as well.
In October 2017, the firm unveiled a new API called AuthedMine that explicitly required user input to authorize any mining activity. According to Malwarebytes’ data, the opt-in version of their API was barely used by about 40,000 users per day as compared to their silent mining version that has nearly 3 million users.
The developers behind Coinhive have maintained that they never intended for the miner to be abused.
According to Check Point researchers, miners often use as much as 65% of end users’ CPU power. In some cases, security researchers have observed that websites running an unthrottled miner significantly damaged device performance and even crippled machines by using 100% of a victimized device’s computing power.
The cryptomining epidemic
Although the developers behind Coinhive have stated they have a strict policy against using their service on compromised sites, its code has been increasingly exploited by hackers in cryptojacking and malware attacks.
In some cases, websites run hidden mining processes without informing their users or ask visitors to opt in and avoid pop-up ads. Popular torrent site The Pirate Bay was an early adopted of Coinhive.
In other cases, websites have been compromised by a third party that injects the miner and conducts mining without the knowledge or consent of users as well as the site’s owners. Multiple popular, high-traffic websites have fallen victim to such attacks including The Los Angeles Times, Showtime, Blackberry’s official site, Politifact and football star Cristiano Ronaldo’s website.
Coinhive’s code was also spotted hidden in web pages served up by a free WiFi hotspot at a Starbucks store in Buenos Aires, YouTube ads through Google’s DoubleClick platform in countries such as France, Taiwan, Japan and Spain, as well as Texthelp’s BrowseAloud plugin.
To maximize profits and reduce hardware costs to a minimum, cybercriminals surreptitiously inject the mining code in multiple vulnerable websites to silently generate illegal revenue unbeknownst to the site’s visitors.
As a result, multiple security firms have tracked and highlighted Coinhive’s code as a top malware threat.
In late 2017, Check Point’s latest Global Threat Index reported cryptominers are becoming an prolific threat in the cybersecurity landscape with Coinhive and other variants making the list of its Ten Most Wanted Malware. Malwarebytes says it has been blocking the original Coinhive API and variants 8 million times a day on average - about 248 million blocks per month.
“We do not claim that Coinhive is malicious, or even necessarily a bad idea,” Malwarebytes researchers said. “The concept of allowing folks to opt-in for an alternative to advertising, which has been plagued by everything from fake news to malvertising, is a noble one. The execution of it is another story.
Malwarebytes researchers said they block Coinhive because many site owners do not request express permission from their users to run the intensive mining process on their systems. However, they do offer users who want to use Coinhive the option to add it as an exception.
Malware-based versus browser-based cryptominers
While malware-based cryptocurrency miners rely on infecting a machine to generate coins, drive-by cryptomining via hijacked websites simply depends on how long a visitor remains on a compromised site. If a user moves away from the website or closes the tab, the mining activity should ideally stop. However, it is still possible for hackers to make drive-by mining persistent using pop-unders and compromised browser-extensions.
While Coinhive does hope to restore legitimacy to its popular service as a legal means for website owners to earn revenue as ad-blocking software usage continues to rise, cybercriminals have been quick to establish a troubling trend of using end users’ CPU resources for their own monetary gain.
So long as cryptocurrencies continue rise in value, usage and popularity, the dark side of the volatile market - through cryptomining attacks and the abuse of Coinhive’s code - will only continue to spread.