There seems to be a trend lately for publishers to monetize their traffic by having their visitors mine for cryptocurrencies while on their site. The idea is that you are accessing content for free and in exchange, your computer (its CPU in particular) will be used for mining purposes.
The Pirate Bay started to run a miner on its site and later publicly acknowledged it. In other cases, the mining was a byproduct of malicious adverts or done via legitimate but compromised websites that are being injected with cryptomining code directly.
Needless to say, this practice is raising many eyebrows and not everyone is on the same page about whether this new business model could be a long-term replacement for ads (although most people agree that ads are often annoying and malicious).
But what exactly happens when publishers turn your PC into a miner and display ads at the same time? In this post, we take a look at what is arguably a bad mix.
Figure 1: A streaming site that is (not so) silently mining cryptocurrency
This concept of mining digital currency via the browser is a little odd at first because it is well known how resource intensive mining can be, requiring powerful machines loaded with expensive hardware. While this is true for Bitcoin, it is not for other currencies that were designed for ordinary CPUs.
Gaming and video sites typically are more resource intensive, so it seems to make little sense to run a miner at the same time without having a noted impact. Having said that, many people who consume copyrighted content are perhaps less likely to complain about an under par user experience.
The question at this point is: How far can publishers push the limits towards a really bad user experience? You may be surprised that for many, this is not really a problem at all and that double dipping is, in fact, a fairly common practice.
Forced mining and malvertising
The same site pictured above was not only monetizing via Coinhive, but they also ran adverts. Clicking anywhere on the page – including the ‘Play’ button on the video – triggered a pop under advert that ran through various ad exchanges and resulted in malvertising in almost all instances, leading to tech support scams and several different exploit kit infection chains.
Tech support scams
Tech support scams are one of the most common redirections we see these days. While they do not usually infect your computer, they are still a threat to consider. The most common symptom is referred to as ‘Browlock’ because scammers use code that prevents you from normally closing your browser. The claims are always excessive and designed to scare users about made up infections. Victims that call the posted number for help end up with more computer issues and several hundreds of dollars less in their wallet.
Figure 3: Malvertising leading to tech support scam (Browlock) is triggered when clicking anywhere on the page
Figure 4: Web traffic showing redirection sequence from publisher to tech support scam page
RIG exploit kit
RIG is the most popular exploit kit these days and malvertising is its prime delivery mechanism. Victims are filtered using the same tools that marketers have to profile consumers, and there can be a secondary level of filtering, usually via a gate that performs geolocation checks for example.
Figure 5: RIG EK via malvertising chain
Terror exploit kit
Terror EK is on a much smaller distribution scale than RIG but is still a fairly active exploit kit that tries out different things. For instance, some Terror EK infection chains use SSL encryption (via free certificates from Let’s Encrypt). It also has an interesting gate with one of the most convoluted iframe encodings we have seen.
Figure 6: Terror EK via malvertising, and gate before landing page
Block less or more?
While cryptominers do have an impact on system resources, there was at least a sense that they may be safer and less intrusive than ads. But publishers ought to be more transparent with their audience because no-one likes unannounced guests. Unfortunately, there will always be publishers that care very little about what kind of traffic they push, so long as it generates good revenues; for those, cryptominers are just an added income to their existing advertising portfolio.
Malwarebytes users are already protected against this drive-by mining. In fact, we are blocking over 5 million connection attempts to Coinhive every single day, which shows that browser-based mining has really taken off in a big way.
Our goal is to protect people from unsolicited drive-by cryptomining. However, for those users that are aware and want to participate in mining, they can absolutely do so by adding an exclusion for this domain.
Indicators of compromise
Tech support scam
Fobos: hudsonentertainment[.]info/ Fobos: 204hdchdhhh[.]cf/tako/?re=6128546021 RIG IP: 188.225.83[.]85 43bc543d26f755474b355a70c25077df8ab71836056619216792a112a79bcd3d
onpakfucli.salary-radar[.]bid/search-w3kpShD3axxD/R5ALkH3JyPBC/rzcp4YrhDgzu.html wabusfqdty.salary-radar[.]bid/search-w3kpShD3axxD/iqW1OavoNisD.php 4fccf7246b6807e22c42dd93507592cca0594694f4487b03db04ef13e7a99c54
This is a Security Bloggers Network syndicated blog post authored by Jérôme Segura. Read the original post at: Malwarebytes Labs