Replacing annoying advertisements with annoying miners
Many of us use ad blockers to prevent advertisements being shown on websites when we are surfing the web. Use of these blockers brings up many arguments and ethical concerns, since ads are usually the source of income for websites, by blocking them the income for these websites is being limited. On the other hand we see Malwaretisement campaigns abusing ad networks to distribute their malware and compromise users’ machines. As websites started including miners in their pages, users started using miner blocker extensions to stop the miners from running. In this study we analysed top miner blocker extensions for Firefox and Google Chrome and report on their effectiveness. List of analysed extensions is available in the following table:
|No Coin (84,524 Users)
|No Coin (570,185 Users)
|No Miner (28,413 Users)
|Miner Block (157,807 Users)
|Miner Block (15,557 Users)
|CryptoMiner Blocker (5,811 Users)
|Mining Blocker (12,187 Users)
and the regex matching this script for different miner blocker extensions is:
*://*.coinhive.com/* *://*/*coinhive*.js* *://coinhive.com/lib* *://*.coinhive.com/lib/* *://*/*coinhive.min.js*
Based on signatures derived from browser extensions, we found only 12 websites in top 10k Alexa websites, this number grows linearly and reaches 36053 for Top 212M Alexa websites. This would either mean that top Alexa websites do not use miners, or it could mean that they actively try to hide their miners which makes miner blocker extensions useless.
Now let’s look at the websites which use miners from another view, for this part of the report, https://fortiguard.com/webfilter, is used to categorize the URLs, since most of these samples are not well known websites, the category won’t be present for most of them, but out of those which we could find a category for, this is the top ones:
- Malicious Websites
- Information Technology
- Personal Websites and Blogs
Next, we analyze which miners are more popular:
This plot has a couple of interesting findings, first, coinhive and its other domains (coinhive.com, coin-hive.com, cnhv.co) together make up the most popular miners used by websites on the web. Next we have authedmine.com, which also belongs to coinhive, but this service explicitly asks the user for permission to mine on his computer, this is due to the fact that mining without users’ concent was deemed as a malicious act and browser extensions started blocking them. To prevent it, coinhive proposed authedmine as a fully “ethical” counterpart of their original service.
On this list we also see crypto-loot, which is a new player in this game, they provide 80% of the mining income to website administrators compared to 70% revenue share for admins using coinhive.
“rest” category is the sum of samples with presence on less than 200 websites on Alexa top 212M websites.
On this list, we see greenindex.dynamic-dns.net which looks to be a non-miner website. Our first guess was that someone hosted a miner script on their website. After doing some research, we get to their website which looks benign. They host https://greenindex.dynamic-dns.net/jqueryeasyui.js which is a version of deepMiner, which is a self hosted cryptominer. Various blogs point out that this miner is used in a malicious way, as in being injected into compromised websites. deepMiner has a feature to limit the amount of its CPU utilizations, and in some of the compromised websites with this specific miner URL in them, this value was set to 0.5, preventing full cpu utilization by the script .
Another benign looking domain is cookiescript.info. They advertise themselves as:
The most popular free solution to US and European Cookie Laws
As it turns out, these guys have been abusing their script that users would include in their website to mine cryptocurrencies. The two following URLs are examples of mining scripts present on this domain:
The author of “CookieScript.info mining Monero on your website?! It’s true” , claims that cookiescript moderators have been contacted and no response was received as of the writing.
Analyzing the miner scripts
Now the question arises, are these the true number of websites using crypto miners? Or are there many other self hosted and malicious miners that obfuscate themselves and their URLs to stay hidden? To answer this question we can refer to Unauthorized Coin Mining in the Browser , where the author from Palo Alto Networks uses their own dataset of passive DNS and logs from their devices, shows that they observe roughly the same number of malicious infected websites by miner campaigns as we observed by using signatures used in miner blocked browser extensions.