A look into the global drive-by cryptocurrency mining phenomenon
An important milestone in the history of cryptomining happened around mid-September when a company called Coinhive launched a service that could mine for a digital currency known as Monero directly within a web browser.
However, many web portals started to run the Coinhive API in non-throttled mode, resulting in cases of cryptojacking—utilizing 100 percent of the victims’ CPU to mine for cryptocurrency with no knowledge or consent given by the user.
We decided to call this new phenomenon drive-by mining, due to the way the code is delivered onto unsuspecting users, very much like drive-by downloads. There’s one important caveat, though: There is no malware infection at the end of the chain.
While the harm may seem minimal, this is not the kind of web experience most people would sign up for. To make matters worse, one does not always know if they are mining for the website owner or for criminal gangs that have found a new monetization tool for the hacked sites they control.
In our full report, A look into the global drive-by cryptocurrency mining phenomenon, we review the events that led to this new technology being abused and explore where users involved in cryptomining against their will are located.
To give you an idea of the scope of drive-by mining, Malwarebytes has been blocking the original Coinhive API and related proxies an average of 8 million times per day, which added up to approximately 248 million blocks in a single month.
With their new mandatory opt-in API, Coinhive hopes to restore some legitimacy to the technology and, more importantly, push it as a legal means for site owners to earn revenues without having to worry about ad blockers or blacklists. This could also benefit users who might not mind trading some CPU resources for an ad-free online experience.
Time will tell how criminals react, but in the meantime, drive-by mining continues unabated.
For more information on this latest trend in the cryptocurrency world, please download our report.
Posted: November 7, 2017 by Jérôme Segura
Last updated: November 6, 2017
ABOUT THE AUTHOR
Lead Malware Intelligence Analyst
Security researcher with a focus on exploits, malvertising and fraud.