How to Block Cryptocurrency Miners in Your Web Browser

Discussion in 'Security and Anti-Virus Software' started by Tinderbox (UK), Nov 28, 2017.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,966
    Messages:
    17,551
    Likes Received:
    21,547
    Trophy Points:
    931
    Now even YouTube serves ads with CPU-draining cryptocurrency miners
    Ad campaign lets attackers profit while unwitting users watch videos.
    DAN GOODIN - 1/26/2018, 11:27 AM
    https://arstechnica.com/information...-ads-with-cpu-draining-cryptocurrency-miners/
    youtube-cryptocurrency-mining-800x425.jpg
    "YouTube was recently caught displaying ads that covertly leach off visitors' CPUs and electricity to generate digital currency on behalf of anonymous attackers, it was widely reported.

    Word of the abusive ads started no later than Tuesday, as people took to social media sites to complain their antivirus programs were detecting cryptocurrency mining code when they visited YouTube.

    The warnings came even when people changed the browser they were using, and the warnings seemed to be limited to times when users were on YouTube.
    Great now my browser everytime I watch youtube... my anti virus always blocking coinhive because malware . Idk much about it but this is getting annoying and I need a solution please T n T

    — Arung (@ArungLaksmana) January 23, 2018

    Hey @avast_antivirus seems that you are blocking crypto miners (#coinhive) in@YouTube #ads
    Thank you :)https://t.co/p2JjwnQyxz

    — Diego Betto (@diegobetto) January 25, 2018

    Por lo visto @YouTube es muy gracioso y no le bastaba con bajarnos la audiencia, ahora van y nos meten el JavaScript de Coinhive para utilizar nuestros dispositivos para minar Monero! De verdad, @Google! Que leeches estáis haciendo con YouTube?? pic.twitter.com/NzMUMlArJs

    — Ervo (@Mystic_Ervo) January 24, 2018

    On Friday, researchers with antivirus provider Trend Micro said the ads helped drive a more than three-fold spike in Web miner detections. They said the attackers behind the ads were abusing Google's DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain.

    The ads contain JavaScript that mines the digital coin known as Monero. In nine out of 10 cases, the ads will use publicly available JavaScript provided by Coinhive, a cryptocurrency-mining service that's controversial because it allows subscribers to profit by surreptitiously using other people's computers. The remaining 10 percent of the time, the YouTube ads use private mining JavaScript that saves the attackers the 30 percent cut Coinhive takes. Both scripts are programmed to consume 80 percent of a visitor's CPU, leaving just barely enough resources for it to function.

    "YouTube was likely targeted because users are typically on the site for an extended period of time," independent security researcher Troy Mursch told Ars. "This is a prime target for cryptojacking malware, because the longer the users are mining for cryptocurrency the more money is made." Mursch said a campaign from September that used the Showtime website to deliver cryptocurrency-mining ads is another example of attackers targeting a video site.

    To add insult to injury, the malicious JavaScript in at least some cases was accompanied by graphics that displayed ads for fake AV programs, which scam people out of money and often install malware when they are run.

    The above ad was posted on Tuesday. Like the ads analyzed by Trend Micro and posted on social media, it mined Monero coins on behalf of someone with the Coinhive site key of "h7axC8ytzLJhIxxvIHMeC0Iw0SPoDwCK." It's not possible to know how many coins the user has generated so far. Trend Micro said the campaign started January 18. In an e-mail sent as this post was going live, a Google representative wrote:

    Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.

    It wasn't clear what the representative meant when saying the ads were blocked in less than two hours. Evidence supplied by Trend Micro and on social media showed various ads containing substantially the same JavaScript ran for as long as a week. The representative didn't respond to follow-up questions seeking a timeline of when the abusive ads started and ended.

    As the problem of Web-based cryptomining has surged to almost epidemic proportions, a variety of AV programs have started warning of cryptocurrency-mining scripts hosted on websites and giving users the option of blocking the activity. While drive-by cryptocurrency mining is an abuse that drains visitors' electricity and computing resources, there's no indication that it installs ransomware or other types of malware, as long as people don't click on malicious downloads.
    This post was updated to add comment from Google."

    Cryptojacking craze that drains your CPU now done by 2,500 sites
    Android apps with millions of Google Play downloads also crash the party.
    DAN GOODIN - 11/8/2017, 10:45 AM
    https://arstechnica.com/information...s-cpus-picks-up-steam-with-aid-of-2500-sites/
    maxed-out-cpu-800x558.jpg
    Enlarge / A music streaming site that participated in Coinhive crypto mining maxes out the visitor's CPU.

    "A researcher has documented almost 2,500 sites that are actively running cryptocurrency mining code in the browsers of unsuspecting visitors, a finding that suggests the unethical and possibly illegal practice has only picked up steam since it came to light a few weeks ago.
    Willem de Groot, an independent security researcher who reported the findings Tuesday, told Ars that he believes all of the 2,496 sites he tracked are running out-of-date software with known security vulnerabilities that have been exploited to give attackers control. Attackers, he said, then used their access to add code that surreptitiously harnesses the CPUs and electricity of visitors to generate the digital currency known as Monero. About 80 percent of those sites, he added, also contain other types of malware that can steal visitors' payment card details.

    "Apparently, cyberthieves are squeezing every penny out of their confiscated assets," he said.

    One of the affected sites is shop.subaru.com.au. When I visited the site on Tuesday, the fan on my MacBook Pro, which I hadn't heard in months, soon started whirring. The activity monitor showed that about 95 percent of the CPU load was being consumed.

    As soon as I closed the site, the load dropped to about 9 percent. Besides putting a noticeable strain on my computer, the site also draws additional electricity from my office. The arrangement allows the attackers to reap the benefit of my hardware and electricity without providing anything to me in return. A recent report from security firm Trustwave's SpiderLabs estimated that the electricity cost for a single computer could range from about $2.90 to $5 per month, presumably if the cryptomining page was left open and running continuously over that time. The figure doesn't include the wear and tear on hardware as it performs complex mathematical problems required to generate the digital coins.

    [​IMG]
    Activity monitor showing CPU load when visiting http://shop.subaru.com.au.

    Thanks, Coinhive

    The site that makes all of this possible is Coinhive.com, which Ars covered last week. It offers an easy-to-use programming interface that any website can use to turn visitors' computers into vehicles for generating—or in the parlance of cryptocurrency people, mining—Monero. Coinhive gives participating sites a tiny cut of the proceeds and pockets the rest. Coinhive doesn't require that sites provide any notice to users.

    de Groot said that about 85 percent of the 2,496 sites he tracked are generating currency on behalf of just two Coinhive accounts. Depending on the total number of visitors, the amount of time they stay on an affected site, and the power of their computers, the revenue collected by those accounts could be considerable, as would be the total amount of additional charges those accounts made to visitors' electric bills.

    The remaining 15 percent were spread over additional Coinhive accounts, but de Groot has evidence suggesting those accounts are controlled by a single individual or group. Most of the affected sites concealed the connection to Coinhive by adding a link to the domain siteverification.online or one masquerading as a Sucuri firewall. Those disguised sites, in turn, hosted the crypto-mining JavaScript that interacted with Coinhive.

    de Groot's findings suggest that drive-by cryptomining has grown more widespread in the week since Ars first covered it or at least that the phenomenon shows no signs of abating. The earlier Ars article cited research from security firm Sucuri that found 500 sites running hacked versions of the WordPress content management system that were participating in the Coinhive mining. Ars also reported that two Android apps with as many as 50,000 downloads from Google Play had recently been caught putting cryptominers inside hidden browser windows. On Wednesday, researchers from Ixia reported finding two additional such apps with as many as 15 million downloadscombined. (In fairness, one of the apps informed users it would use their phone's idle time to generate coins and provided a way for that default setting to be turned off. The apps have since been modified to curtail the practice.)

    There are other indications that the in-browser cryptomining racket is getting worse. In a report published Tuesday, endpoint security provider Malwarebytes said that on average it performs about 8 million blocks per day to unauthorized mining pages.

    People who want to avoid these cryptojacking scams can use Malwarebytes or another antivirus program that blocks abusive pages, install this Chrome extension, or update their computer host file to block coinhive.com and other sites known to facilitate unauthorized mining. As the phenomenon continues to grow and attract copycat services, blocklists will likely have to be updated, requiring regular updates to blocklists as well.

    YouTube Ads Infected by Cryptocurrency Malware
    by PAUL WAGENSEIL Jan 29, 2018, 8:58 AM
    https://www.tomsguide.com/us/youtube-mining-malware,news-26530.html
     
    Last edited: Jan 30, 2018
  2. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,966
    Messages:
    17,551
    Likes Received:
    21,547
    Trophy Points:
    931
    FYI - been seeing this on Youtube, time to employ miner blocking lists in uBlock / SafeScript and/or extensions that are keeping the lists of offending domains up to date. I've actually had Chrome warn me of excessive CPU use in Youtube tabs until I updated lists again - added a few coin mining extensions, and those tabs were taking 50% of CPU (2 tabs)!

    All about Blockchain, Cryptocurrency, Digital Transformation
    http://forum.notebookreview.com/thr...l-transformation.812591/page-16#post-10673064

    Youtube Caught Mining Monero on Viewers PCs


    Stop coin mining in the browser with No Coin
    https://ker.af/stop-coin-mining-in-the-browser-with-no-coin/

    No Coin - Block miners on the web!
    https://chrome.google.com/webstore/...s-on-t/gojamcfopckidlocpkbelmpjcgmbgjcl?hl=en

    5 Easy Ways To Block Cryptocurrency Mining In Your Web Browser
    https://fossbytes.com/block-cryptocurrency-mining-in-browser/

    minerBlock
    https://chrome.google.com/webstore/detail/minerblock/emikbbbebcdfohonlaifafnoanocnebl?hl=en

    No Mining - Block coin mining websites
    https://chrome.google.com/webstore/...n-mini/hoafonbifbfcbhdconhnmcphpnplaekb?hl=en
     
    Vasudev, Dr. AMK and Raiderman like this.
  3. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,966
    Messages:
    17,551
    Likes Received:
    21,547
    Trophy Points:
    931
    Turns out, the malvertising that has miner code as payload is delivered through Google AdSense, among others, and has become automated to the point where Google is getting behind in catching them. That's why we are getting hit with coin mining now in Youtube, but it's happening anywhere that uses Google Adsense and other ad aggregators...

    Crooks Created 28 Fake Ad Agencies to Disguise Massive Malvertising Campaign

    By Catalin Cimpanu, January 26, 2018 12:10 PM
    https://www.bleepingcomputer.com/ne...es-to-disguise-massive-malvertising-campaign/

    "A group of cyber-criminals created 28 fake ad agencies and bought over 1 billion ad views in 2017, which they used to deliver malicious ads that redirected unsuspecting users to tech support scams or sneaky pages peddling malware-laden software updates or software installers.

    The entire operation —codenamed Zirconium— appears to have started in February 2017, when the group started creating the fake ad agencies which later bought ad views from larger ad platforms.

    These fake ad agencies each had individual websites and even LinkedIn profiles for their fake CEOs. Their sole purpose was to interface with larger advertising platforms, appearing as legitimate businesses.

    How the operation worked
    The image below describes how the group operated. The fake ad agencies would buy ads displayed on legitimate sites via these ad platforms.

    These ads would allow the Zirconium group to run JavaScript code that executed a "forced redirect," effectively hijacking visitors off the original site to an intermediary domain. This intermediary domain would fingerprint and classify incoming traffic, then redirect the user to another domain, also operated by Zirconium.

    Crooks would use this third domain as an affiliate traffic jump-off point, allowing others to buy the traffic they hijacked from legitimate sites.

    In many cases, users were redirected to pages offering fake (malware-laced) Flash updates, websites offering (malware-infested) software installers, tech support scams, or other scareware pages.
    Zirconium.png
    Ad security company Confiant, the one who discovered this entire operation, says ads bought by this group reached 62% of ad-monetized websites on a weekly basis.

    All in all, Confiant believes that about 2.5 million users who've encountered Zirconium's malicious ads were redirected to a malicious site, with 95% of the victims being based in the US.

    Eight fake ad agencies still dormant
    The entire operation flew under the radar for most of the time but became harder to ignore as it grew and researchers started to detect more and more aggressive user fingerprinting scripts.

    Dangu says the group exclusively targeted desktop browsers, ignoring mobile traffic. The user's operating system did not count, the group going after Windows, Linux, Mac, or ChromeOS users alike.

    The Confiant CTO also says Zirconium used only 20 of its 28 fake ad agency identities for this operation, and eight remained dormant earlier this week when Confiant published its Zirconium exposé.
    Zirconium-ad-agencies.png
    Malvertising crews using fake ad companies may be a new concept for the casual infosec-passionate reader, but conversations this Bleeping Computer reporter had with industry experts last year revealed that most experts knew this was happening, but they hadn't managed to get all the details together to expose this growing trend.

    Besides blowing the lid on this new tactic, Dangu also pointed out another interesting fact; that this malvertising campaign was nothing like previous operations, which mostly sent traffic to exploit kits.

    Dangu believes that improved browser security features now make most exploit kits ineffective. In addition, the decision from most browser makers to change Flash into a disabled state or click-to-run policy have also contributed to the demise of classic malvertising+exploit kit campaigns.

    Chrome 64, released earlier this week, blocks the forced redirect technique (also known as tab-under) used by the Zirconium group."
     
    Vasudev and Dr. AMK like this.
  4. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,966
    Messages:
    17,551
    Likes Received:
    21,547
    Trophy Points:
    931
    Google Removes YouTube Ads Doing Crypto Mining
    By Shahid Rajput - February 1, 2018
    https://phonesmart.pk/google-removes-youtube-ads-crypto-mining/

    "Widespread use and intense popularity among masses has made cryptocurrency a ‘dream come true’ like wonder. In the meantime, crypto mining has become an art and some culprits have discovered numerous fraudulent ways to do the job. This leads to a relatively new term“cryptojacking”.

    We have shared with our readers how people use porn sites to mine cryptocurrency. in fact cryptojackers insert a JavaScript malicious code into websites and advertisements that uses victim’s CPU’s power to mine cryptocurrency for them. There are reports that hackers have found the way to insert malicious script into YouTube ads as well.

    Ars Technica, a YouTube user, reported earlier that suspected script from a service called ‘CoinHive’ causes triggering of users’ anti-virus software while YouTube ads are being played on their PC. It was presumed that a cryptojacking site might have inserted a special script that uses CPU’s power of people watching those ads on YouTube.

    Hey @avast_antivirus seems that you are blocking crypto miners (#coinhive) in @YouTube #ads
    Thank you https://t.co/p2JjwnQyxz
    — Diego Betto (@diegobetto) January 25, 2018

    The Telegraph reported that the CBS Showtime, UFC live-streams and even official websites for the governments of Moldova and Bangladesh have also fallen victim. In some instances, websites that offer free services – such as sites that help people download films, TV series and music for free like The Pirate Bay, explicitly use miners to offset running costs.

    Google Fixes YouTube Ads Doing Crypto Mining
    Google, the owner of YouTube, has come up with an immediate fix of the issue faced by millions of users worldwide. A Google spokesman responds:

    Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.

    Most of the users came up with one common thing in these hacks and that is CoinHive – a crypto mining service. Since September last year, CoinHive has been offering a Javascript Monero miner that anyone can register to use and slip into a website. In return, CoinHive takes a 30 percent cut.

    It seems that cryptojackers have decided to target the most widely used video platform on the web to get their evil job done. However, Google says it typically removes mining adverts down within minutes of their appearance, but are up against hackers who continuously change tactics to try and get around their systems."

    How to Block Cryptojackers to Mine Cryptocurrency in Your Browser
    By Shahid Rajput - January 28, 2018
    https://phonesmart.pk/block-cryptojackers-mine-cryptocurrency-browser/

    Crypto-jackers slip Coinhive mining code into YouTube site ads
    Trend Micro suggests disabling JavaScript in browsers

    By Thomas Claburn in San Francisco 27 Jan 2018 at 01:14
    https://www.theregister.co.uk/2018/...ip_coinhive_mining_code_into_doubleclick_ads/
     
    Vasudev and Dr. AMK like this.
  5. Dr. AMK

    Dr. AMK The Strategist

    Reputations:
    1,845
    Messages:
    1,362
    Likes Received:
    2,863
    Trophy Points:
    181
    Check Your CPU Usage all the time.
    The simplest way to determine if your PC is being used to mine cryptocurrency is to assess its CPU usage. By opening the resource monitor of your computer (EDIT: or any other monitoring software like HW64), it’s possible to view a list of applications and processes that are currently using processing power.

    Observing a noticeable spike in CPU usage when viewing specific sites that don’t show any outward signs of CPU-intensive media is a key indicator that there may be Javascript running that is taxing or hijacking your processing power. If you’re still observing high CPU usage after closing your browser, it’s possible you may have a crypto mining malware issue.
     
    Woodking, hmscott and Vasudev like this.
  6. Dr. AMK

    Dr. AMK The Strategist

    Reputations:
    1,845
    Messages:
    1,362
    Likes Received:
    2,863
    Trophy Points:
    181
  7. inm8#2

    inm8#2 Notebook Deity

    Reputations:
    273
    Messages:
    752
    Likes Received:
    303
    Trophy Points:
    76
    Salon to ad blockers: Can we use your browser to mine cryptocurrency?

    I don't like where all of this is heading. People started blocking ads because of how intrusive and dangerous they became. Now this war of escalation for ad revenue has evolved into cryptomining. "Hey we served some nasty ads in the past that cost us revenue due to ad blockers. Now you should definitely trust us with these mining scripts."

    What happens after people block the cryptominers? How many systems will be brought to their knees by websites maxing out their hardware for mining, because those less tech savvy users have never heard of cryptomining, scripts, or ad blockers?
     
    Dr. AMK and hmscott like this.
  8. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,966
    Messages:
    17,551
    Likes Received:
    21,547
    Trophy Points:
    931
  9. Vaeron

    Vaeron Notebook Evangelist

    Reputations:
    120
    Messages:
    338
    Likes Received:
    191
    Trophy Points:
    56
    Is it enough to just have the NoCoin Filter List with uBlock Origin, or is it better to have a separate Firefox addon for it?

    OT: Does anyone have a guide for a definitive/must-have filters list? I just rolled with the default settings of uBlock Origin then added the NoCoin and Anti-Adblock Killer Filter lists.
     
    Vasudev and Dr. AMK like this.
  10. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,966
    Messages:
    17,551
    Likes Received:
    21,547
    Trophy Points:
    931
    IDK, if you get CPU usage showing miners with just the filter list + ublock, then yes run what you need to - and/or get more lists.

    I haven't had any more incursions using ScriptSafe (with everything enabled) + ublock Origin (all filters enabled) + Privacy Badger + AdBlocker for Youtube + NoCoin + No Mining + Miner Block, but none of the mining extensions have indicated any hits... so I think maybe I will disable them soon.

    I think the other tools have bolstered their lists and are catching everything I might run across. YMMV.

    FYI - ran across this hosts based method, for which I've used various sources over many years, but stopped using due to the noscript / adblock tools, now using scriptsafe + ublock Origin.

    But, it's got lots of lists of interest, and I may put some time into checking it out at some point:

    StevenBlack/hosts
    https://github.com/StevenBlack/hosts
    List of all hosts file variants
    The Non GitHub mirror is the link to use for some hosts file managers like Hostsman for Windows that don't work with Github download links.

    Host file recipe Readme Raw hosts Unique domains Non Github mirror
    Unified hosts = (adware + malware) Readme link 55,023 link
    Unified hosts + fakenews Readme link 55,696 link
    Unified hosts + gambling Readme link 56,535 link
    Unified hosts + porn Readme link 64,555 link
    Unified hosts + social Readme link 56,170 link
    Unified hosts + fakenews + gambling Readme link 57,208 link
    Unified hosts + fakenews + porn Readme link 65,228 link
    Unified hosts + fakenews + social Readme link 56,843 link
    Unified hosts + gambling + porn Readme link 66,067 link
    Unified hosts + gambling + social Readme link 57,682 link
    Unified hosts + porn + social Readme link 65,702 link
    Unified hosts + fakenews + gambling + porn Readme link 66,740 link
    Unified hosts + fakenews + gambling + social Readme link 58,355 link
    Unified hosts + fakenews + porn + social Readme link 66,375 link
    Unified hosts + gambling + porn + social Readme link 67,214 link
    Unified hosts + fakenews + gambling + porn + social Readme link 67,887 link
     
    Vasudev and Dr. AMK like this.
Loading...

Share This Page