Browser-based Crypto-Mining Rises from the Dead

Browser-based Crypto-Mining Rises from the Dead

Though it seemed all but dead, browser-based cryptocurrency mining is back—a revenant that has begun haunting websites and their visitors.

It’s not just back in a small way: Browser-based cryptocurrency mining activity has exploded in the last few months of 2017, according to Symantec, including a 34% increase in the number of mobile apps incorporating cryptocurrency mining code. The firm said that the catalyst appears to be the launch of a mining service in September by Coinhive.

Browser-based cryptocurrency mining, which has been around since at least 2011, is implemented using scripting language. Website owners can sign up to the service and embed these scripts into their web pages to make page visitors mine for them. Coinhive is marketed as an alternative to browser ad revenue: Users pay for the content indirectly by coin mining when they visit the site and website owners don't have to bother users with sites laden with ads (and potentially malvertising). The activity is pooled, making for potentially massive combined mining power, gleaned from masses of users with average hardware visiting a website.

“This service wraps everything up nicely in an easy-to-use package for website owners and has injected new life into an idea that was long thought of as dead and buried,” the firm said, in a blog. “A surge in the cryptocurrency market in 2017, as well as availability of coins that are mineable using home hardware and easy-to-use JavaScript APIs, has led to a torrent of malicious browser-based mining affecting many well-known and lesser-known websites.”

Browser-based mining proved to be unprofitable in the past: In 2011, there was only Bitcoin to mine, and it wasn’t worth that much—about $30 per BTC. “The reward was minuscule compared to the amount of mining power and electricity required,” Symantec noted, meaning that an individual website faced a fundamental profitability problem. Thus, it withered away.

“The growing problem of profitability was made even worse by the increasing use of ASIC miners,” Symantec said. “The advent of ASIC miners dragged bitcoin mining out of the realm of home users and into an industrial age dominated by the massive mining farms that we are more familiar with today.”

However, as of September 2017 the market capitalization for cryptocurrency stood at $166 billion, spread over more than a thousand different currencies.

“Some, like Bitcoin, can still only be mined via a proof-of-work (PoW) process using dedicated power-hungry ASIC hardware,” Symantec pointed out. “Other cryptocurrencies like Monero, Ethereum (ETH), Ethereum Classic (ETC) and Dash (DASH) can be mined using retail-grade GPU hardware found in many home computers.”

This has created a perfect storm for browser-based mining to rise from the dead. On its face, Coinhive, which mines for Monero, offers websites a great alternative to selling ads, but unfortunately it is being abused.

“Despite Coinhive’s best intentions, unscrupulous operators quickly latched onto the idea of secret mining in the hope that users will not notice,” Symantec said, citing its non-transparent use on Pirate Bay, as well as potentially malicious planting of it on premium websites like Showtime and the LiveHelpNow widget, which is used by many websites around the world to offer in-browser support chat sessions.

“As with Showtime, LiveHelpNow is already a legitimate revenue-generating business and there's no obvious reason as to why it would risk user confidence to earn a few extra bucks from users [and make users pay for content twice],” the firm said. “So the most likely scenario is that the server was compromised either by an outsider, or even an insider.”

Reports of many other sites have cropped up using the Coinhive mining scripts without letting users know and without providing an opt-out option.

“The mining process can start quickly and quietly in the browser without anybody noticing, unless insufficient throttling is used, in which case the CPU load may max out during the users' session, which would be an easy tell-tale for end users to spot,” the firm concluded.

Source: Information Security Magazine