Already 2500 online stores mine on visitors' computers

Information security experts are paying attention to the growing popularity of cryptodikeking (cryptojacking) - an imperceptible mining of cryptocurrency on the computers of site visitors. You go to a website, the laptop starts to heat up and hum. It's okay, but the owners will get some penny: such a microtransaction of its kind.



In such a micropayment business model, there would be nothing reprehensible if it were not for two facts. First, visitors are not notified about mining, so the use of computer computing resources occurs without the knowledge of the owner. Secondly, in the absolute majority of cases, mining occurs, apparently, even without the knowledge of the owners of the site itself.



Today, the script of the most popular service for cryptodikeking Coinhive is installed on 2496 e-commerce sites .



As the study by Willem de Grot showed, in 80% of cases on these sites not only the Coinhive script is installed, but also various malware for skimming - copying the details of bank payment cards of customers of stores.



Malicious users steal a bank card a little, they also want to remember a little on the computer. Literally squeezed out of the victim to the last penny, more precisely, to the last Monero coin, since Coinhive mines precisely this cryptocurrency.



Among the infected sites there are quite popular resources. For example, the official representative of the automaker Subaru in Australia - shop shop.subaru.com.au .



Willem de Groot found out that the majority of these 2,496 scripts were installed by only a few intruders. The fact is that each Coinhive user has a unique identifier on which the inked funds are charged. So, 85% of the scripts are associated with only two Coinhive identifiers. The remaining 15% is distributed among a large number of other IDs. However, in this entire group with different link IDs, the site name is the same. That is, it can be assumed that these 15% are also created by one person or group. In other words, all infections of online stores are made by three groups of intruders.



The specialist notes that in some cases the crypto miner is well hidden in the code of the pages. While some sites contain a link to the official coinhive.js file, others try to hide. Here, mining takes place through the built-in frame, which loads the contents of siteverification.online . This site demonstrates the standard installation page of the Debian distribution, but it still contains a crypto miner. Other inline frames load content from a site that impersonates the Sucuri Firewall page.



As has been said before, in order to protect against a crypto miner, you need to install a plug-in in your browser to block ads or write down the Coinhive servers in the hosts file.



127.0.0.1 coin-hive.com coinhive.com







But in any case, there is nothing to fear. Cryptodikeking is a completely harmless kind of cybercrime that doesn’t do much harm. Even if you leave the page with the miner open for a whole month, then the electricity bill will increase except for a couple of hundred rubles. Actually, such crypto miners are not much more harmful than animated flash banners, which also do not burden the CPU.



According to Trustwave , the average computer consumes 1212 Wh more electricity than usual per day for the Coinhive script. For a month out 36.36 kWh. At Moscow rates (5.38 rubles / kWh), 195 rubles 62 kopecks are obtained. In principle, not so little, but hardly anyone will leave open the tab with crypto miner for a whole month. And not all electricity rates are as high as in Moscow.



It can be assumed that no one uses the Coinhive service voluntarily. But no, there are still sites that install a miner and even openly report this to users (and give each user the opportunity to choose exactly how many hashes are allowed to be calculated on their processor). But such sites are very few. Most miners are still installed by attackers.



Mining Monero on Mac Book Air gives about 25 hashes / s, mining on a regular desktop computer - about 80 hashes / s, on the OnePlus 3t smartphone - about 12 hashes / s, so the attackers still won’t make a lot of money (see mining Monero ), especially since Coinhive takes 30% of the coins.



However, a business can make a good profit if you manage to infect millions of smartphones. Although there the mining speed is several times less, but there is an opportunity to launch it for a long time. Recently, Ixia specialists have found two popular applications with built-in cryptomineers in the Google Play catalog . They have a total of 6 million to 15 million downloads.







The specialists studied the code of one of the infected applications (“Scanward”) and determined the name of the user to whose account coins are credited to the mining pool (a certain “HUNTER”) and even found some of his messages on the forums. The same developer posted another infected application (English Book) on Google Play, which also has millions of downloads.