Coin-Mining Malware Goes Global: How to Avoid Infection
Nearly 2,500 websites worldwide are infected or deliberately rigged with browser code that hijacks your computer's processors to "mine" cryptocurrency.
Bad hacker! Stay out of my computer! Credit: vectorfusionart/Shutterstock
That's according to a report posted Tuesday (Nov. 7) by Dutch security researcher Willem de Groot, who found 2,496 sites running Coinhive, a script that forces your machine to suddenly speed up and crunch numbers in order to create units of Monero, a cryptocurrency similar to Bitcoin.
What to Do
One Chrome extension, Coin-Hive Blocker, blocks the the Coinhive script specifically. It's a good short-term solution that doesn't affect other scripts or sites, but might not work in the long run if mining software migrates to other code. (Antivirus software doesn't always catch coin-mining scripts, which are legal per se, although Malwarebytes has added Coinhive to its block list.)
To make sure your browser isn't hijacked by coin miners, you can could use a script blocker such as NoScript for Mozilla Firefox or ScriptBlock or ScriptSafe for Google Chrome. Doing so will block most ads (including ours), but you can usually whitelist websites or scripts according to what you'd like to see.
MORE: Best Antivirus Software
Websites harboring cryptocurrency-mining code are not a new phenomenon, but they've been growing rapidly in scale over the past couple of months after Coinhive released its easily embeddable code in mid-September.
Many high-profile sites, including The Pirate Bay, have added the mining code deliberately to provide an alternative revenue stream and boost the bottom line. Others, including the Showtime site, Ultimate Fighting Championship and PolitiFact, have been infected by criminals looking to make a quick buck.
De Groot said that of the nearly 2,500 sites he surveyed, 85 percent linked to just two CoinHive accounts, indicating that they'd been hacked by a very small set of criminals.
It's not illegal
Using Coinhive seems to be perfectly legal as long as you let users opt in. It's not clear how legal using it becomes if you don't warn users beforehand.
The Coinhive website, which trumpets the slogan "Monetize Your Business With Your Users' CPU Power," seems to represent a legitimate business. It even has warnings about not using the service for illegal purposes.
But we couldn't find anything on the site or in its website domain registry about the company's location, owners or employees, which is never a good sign. (An Argentine web developer did post some Coinhive code to Github, but he may not be associated with the company.)
Try it yourself, if you dare
Here's a sample of a (presumably unwittingly) infected website belonging to Subaru's Australian subsidiary, discovered by Ars Technica's Dan Goodin. Tom's Guide takes no responsibility for any consequences if you'd like to try it out at your own risk: http://shop.subaru.com.au/. Your CPU usage will spike, but there shouldn't be any permanent damage after you close the tab.
To view the effect of this infected site on your browser, open Task Manager in Windows by pressing Ctrl + Shift + Alt, and watch the performance usage hit 100 percent in a few seconds. (Don't try it on a Mac, as the site tried to actively install something on ours.)
A screenshot of NoScript blocking the Coinhive script in Firefox. Credit: Paul Wagenseil/Tom's Guide
The coin-mining scourge is even hitting mobile phones. A TV news report from Australia details how text messages have led users to install apps that secretly mine cryptocurrency, and Trend Micro found three apps in the Google Play store that mined cryptocurrency.
We're not sure what you can do to prevent your Android device from being hijacked by a cryptocurrency-mining app, as not all antivirus apps will stop them. But if your phone suddenly seems to be heating up or draining its battery rapidly, delete the most recently added app to see if that solves the problem.