Cryptojacking craze that drains your CPU now done by 2,500 sites


#1

Cryptojacking craze that drains your CPU now done by 2,500 sites

A researcher has documented almost 2,500 sites that are actively running cryptocurrency mining code in the browsers of unsuspecting visitors, a finding that suggests the unethical and possibly illegal practice has only picked up steam since it came to light a few weeks ago.

Willem de Groot, an independent security researcher who reported the findings Tuesday, told Ars that he believes all of the 2,496 sites he tracked are running out-of-date software with known security vulnerabilities that have been exploited to give attackers control. Attackers, he said, then used their access to add code that surreptitiously harnesses the CPUs and electricity of visitors to generate the digital currency known as Monero. About 80 percent of those sites, he added, also contain other types of malware that can steal visitors’ payment card details.

“Apparently, cyberthieves are squeezing every penny out of their confiscated assets,” he said.

One of the affected sites is shop.subaru.com.au. When I visited the site on Tuesday, the fan on my MacBook Pro, which I hadn’t heard in months, soon started whirring. The activity monitor showed that about 95 percent of the CPU load was being consumed. As soon as I closed the site, the load dropped to about 9 percent. Besides putting a noticeable strain on my computer, the site also draws additional electricity from my office. The arrangement allows the attackers to reap the benefit of my hardware and electricity without providing anything to me in return. A recent report from security firm Trustwave’s SpiderLabs estimated that the electricity cost for a single computer could range from about $2.90 to $5 per month, presumably if the cryptomining page was left open and running continuously over that time. The figure doesn’t include the wear and tear on hardware as it performs complex mathematical problems required to generate the digital coins.

Read more at: https://arstechnica.com/information-technology/2017/11/drive-by-cryptomining-that-drains-cpus-picks-up-steam-with-aid-of-2500-sites/

TL;DR - If for some reason when visiting a site your CPU starts whirring at 100% for a core or more… it might not just be your browser sucking or the site having issues.


#2

Often these codes sneak in through ads, i had this issue on xperiablog.net before but it got fixed and it isn’t there anymore.
For ppl. who use NoScript, one of the popular scripts is coinhive/com
NoScript protects from this kind of abuse i believe.


#3

There are already extensions to block these for anyone that wants to. No Coin for Chrome is one example.


#4

No coin is also available for Firefox, not sure tho if it’s the same dev.


#5

Actually, I don’t really mind… If I’m not using that CPU power anyway, I don’t care. If I am, then I’ll close that website. I know it sounds stupid, but meh, if it helps someone earn money without additional expenses for me, then why not…


#6

The additional expense is your electricity bill.


#7

Like one cent per month?


#8

It’s the principle. Eg like someone has invaded your private property without your permission and is gaining from it. F yeah I mind!


#9

If it’s without the CPU owners consent i would call it stealing of resources.
Perhaps someone can make one that offers small payments to the people who willingly participate and allow people to adjust the taxation on their system. Everybody wins.


#10

The difference is a lot of people don’t know their systems are being used in this manner without their permission, which is the point here - embedded JS in a banner, hacked page or otherwise.

It’s not only electricity, it’s also system wear - laptops, tablets and other similar devices for example aren’t designed to run fans blazing hours on end at 100%.

Not everyone is as technically inclined as people here generally are.


#11

A YouTube ad steals your bandwidth, wastes your electricity and your time.


#12

To be fair it did offer you the bandwidth to access the video you’re playing on their site.
And you know they’ll play ADs even before you play the video, so it’s a fair trade but not a steal.

Clarification:

When things are communicated and agreed, it can’t be counted as steal.

The situation of coin-mining advertisements is different. Even if the coins end up going to the advertisers.

Visitors know what to expect from advertisements - promotional information that the advertisers hopes to increase likeliness to sale more of their products/services, short term or long term. Coin-mining advertisement is simply a ripoff on top of this belief, a betrayal.

And coin-mining with ads is apparently an unauthorized use of property.


#13

As long as it’s just a Javascript script running in my browser, I don’t see any privacy invasion here :wink:


#14

You won’t be able to browse anymore,cauz everything will be super laggy. The Script loads all cores 100%, also if you don’t have a good thermal solution your CPU will suffer.


#15

This is by far the biggest problem. It only takes a few weeks before nobody will try to visit your website anymore


#16

I encountered this couple of days ago, had my laptop on my lap and suddenly I hear the fans roaring and my laptop becoming increasingly hot to the touch. Couldn’t leave it on my lap anymore as it was too hot.

Is the best way to block it using NoCoin?


#17

Javascript doesn’t support multithreading, so I really doubt one site can load more than one core…


#18

This is incorrect, web workers allows multithreading.


#19

Ah, I hadn’t heard about that before :slight_smile: and a quick google didn’t show it. But you learn something every day :smiley:


#20

Technically it’s not stealing. You won’t see the youtube ad if you’re not on youtube and there won’t be a youtube for you to go to, if not for the ads.

It’s the unspoken agreement you are making by visiting the site, you agree to give up some of your time and attention for ad content in exchange for the use of the service that someone has to pay for.

Crypto jacking on the other hand… now that is stealing!
You derive no benefit from giving up your cpu cycles, while someone else entirely, benefits… sort of like politics.