Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • Nearly 50,000 websites were found to host some type of cryptocurrency mining malware. — Bad Packets report, 2018
  • 5,541 WordPress websites were infected with malware as part of cryptojacking campaigns. — Bad Packets report, 2018

In an investigation by Troy Mursch, the author of the Bad Packets Report, nearly 50,000 websites were found to host some type of cryptocurrency mining malware.

Cryptocurrency mining is becoming an increasingly lucrative industry as speculation of digital currencies such as Bitcoin, Ethereum, and Monero have driven up valuation. In the case of Monero, which is more easily capable of being mined on CPUs rather than GPUs, website owners have taken to embedding JavaScript-based mining scripts in order to generate revenue in place of, or in addition to, traditional advertisements.

While some websites provide an opt-out mechanism for mining, many websites do not. As cryptocurrency miners are frequently configured to max out the CPU capacity of a given device–to the extent that devices have been physically damaged–performing cryptocurrency mining via scripts embedded on web pages is inherently parasitical regardless of the intent of the website owner.

SEE: Intrusion detection policy (Tech Pro Research)

That said, the ease of embedding JavaScript miners in websites has attracted criminals, who have begun exploiting cross-site scripting and other vulnerabilities to inject mining scripts into websites to illicitly generate funds. These types of attacks have been on the rise as 4,000 government websites in the US, UK, and Australia were infected through a vulnerability in a third-party assistive technology for people with visual impairments. Similarly, a website operated by the L.A. Times was infected with a Monero mining script powered by Coinhive.

Mursch’s investigation found that, of the 48,953 websites that were found to have coin mining scripts, 39,925 (81.6%) used Coinhive. Mursch noted that 5,541 of these were WordPress websites that had obfuscated references to the Coinhive script. These websites share a total of six unique Coinhive site keys, suggesting that their inclusion on these websites is not an active decision by the website owners, rather, they were embedded by some illegitimate means–likely through a vulnerability in WordPress itself, or surreptitiously included in a plug-in.

Alternatives to Coinhive have also gained some popularity, though are presently a relatively small fraction of the browser-based mining industry. Of particular note is Minr, which automatically provides optional code obfuscation in an effort to resist detection by people inspecting the website source. Mursch also noted that the linked domains for Minr scripts change frequently.

Also of interest is the self-hosted deepMiner script, found on 2160 websites, the report said. As a self-hosted script, searching for websites that link back to a specific domain would not detect deepMiner, rather, the function it uses to run was searched on PublicWWW instead.

As surreptitious coin mining operations, also known as cryptojacking, are becoming increasingly popular among criminals, proactive protections to safeguard against these attacks are necessary. Mursch recommends the minerBlock extension for Chrome and Firefox. Cryptojacking is blocked by default in Opera, and MalwareBytes, a popular anti-malware program, blocked Coinhive shortly after the website launched in September 2017.

Web-based mining attacks are only one component of criminals mining the Monero cryptocurrency in malware attacks. Attacks targeting Android devices, Microsoft Word documents, and Telegram were discovered last month, and criminals have also recycled the EternalBlue vulnerability developed by the NSA to create the mining botnet “Smominru.”