JavaScript Altcoin/Digital Coin Mining

JavaScript Altcoin/Digital Coin Mining

Coin Mining

As been noted in the news and other blogs posts over the previous months there has been an upward trend in different web applications utilizing JavaScript to mine for digital currencies.  The JavaScript being loaded can either be done intentional or due to malicious actors injecting additional lines into web pages.

Some notable websites, such as the popular The Pirate Bay, have been caught recently deploying JavaScript miners on their web page to help offset the cost of expensive hosting.  As you can see from the screenshot below, captured from the inspection of The Pirate Bay's source code the <script src="https://coin-hive/lib/coinhive.min.js"> loads a third party JavaScript file that when loaded will pass the following line's identifying number to Coinhive, then all work that is performed by the web

For those who don’t know what Coinhive is, this is their intro on their website :

Coinhive offers a JavaScript miner for the Monero Blockchain (Why Monero?) that you can embed in your website. Your users run the miner directly in their Browser and mine XMR for you in turn for an ad-free experience, in-game currency or whatever incentives you can come up with.

However, websites using such crypto-miner services can mine cryptocurrencies as long as you're on their site. Once you close the browser window, they lost access to your processor and associated resources, which eventually stops mining. Unfortunately, this is not the case anymore.  Security researchers from anti-malware provider Malwarebytes have found that some websites have discovered a clever trick to keep their cryptocurrency mining software running in the background even when you have closed the offending browser window.  This stealth technique is performed by hiding a small Web Browser in the corner of the user's window, as can be see by the screenshot provided by Malwarebytes, shown below.

Attack Vectors

Many websites are choosing to use Coin Miners over advertisements to provide a cleaner user interaction while still maintaining revenue stream.  However, the legitimate companies who are proceeding this way are typically informing their user base of the risk of Coin Miners and giving them ability to opt out of the excess workload.  

On the other hand, any websites that are currently affected by Stored Cross-Site Scripting (XSS) attacks could easily have these coin miners injected onto their web applications for future unsuspecting users are targeted for the excess workload.  

The screenshot below might be difficult to understand at first glance, but the premise works as follows.  The victim in purple requests data from a legitimate server using their local web browser.  However, the legitimate web server has been attacked by the attacker in pink, which has injected malicious script that is stored on the back end of the legitimate server.  Now when, the victim in purple requests the data from the server the additional script gets loaded, and the victim's browser will start mining for coins.  

Another attack vector would be if an attacker was able to inject additional Javascript calls into popular well known open source JavaScript frameworks [Motherboard].  If successful, this attack would mean that anyone downloading open source software implanted with bitcoin mining code could be unwittingly expending computing power and electricity to generate bitcoins, presumably for someone else.

Preventing Coin Miners

There are several tools that you can make use of web browser extensions, like No Coin, that automatically block in-browser cryptocurrency miners for you, and regularly update themselves with new mining scripts that come out.Created by developer Rafael Keramidas, No Coin is an open source extension that blocks Coin Hive and other similar cryptocurrency miners and is available for Google Chrome, Mozilla Firefox, and Opera.

No Coin currently does not support Microsoft Edge, Apple Safari, and Internet Explorer. So, those using one of these browsers can use an antimalware program that blocks cryptocurrency miners.

Stay vigilant out there!  Until next time!

Ryan Villarreal

About Ryan Villarreal