Another Chrome extension has been found secretly harboring a cryptocurrency miner – and it appears this issue is going to get worse before it gets better.
Reg reader Alessandro Polidori, a Node.js software engineer, spotted the use of Coin Hive’s Monero-crafting code in the “Short URL (goo.gl)” extension for Chrome. After getting an alert from his network security tools, Polidori dug in and found the extension was downloading and running a file from Coin-Hive.com called cryptonight.wasm every ten seconds.
Cryptonight is typically embedded on webpages to mine coins for whoever put the code there – either a site administrator or someone who has hacked the server to inject the code. It silently runs in browsers visiting the pages, sending any mined cyber-cash back to its masters. It’s estimated there 113,000 Cryptonight miners active right now, gradually generating XMR coins, each worth about $90, using strangers’ electricity and computer hardware
The code was traced to the Short URL extension, yet the plugin’s developers had neglected to mention its presence. Polidori found it was jacking up his computer’s CPU to 95 per cent workload.
“To remove any doubts that my installation could be tampered, I tried to install the extension to a new Chrome instance,” he said. “Unfortunately I got the same result, so we can conclude that it was intentionally designed.”
After informing Google that the extension, which had nearly 15,000 downloads, was harboring a hidden currency miner, the software was pulled from the official marketplace. But it’s a demonstration of quite how common these kinds of deceptive practices are becoming as online currency mining becomes more popular.
Last month, a Chrome extension called SafeBrowse was yanked offline after it was found to b e running a crypto-coin miner.
There’s nothing intrinsically malicious with software harvesting spare CPU cycles for stuff, it’s just that the code should not hog a machine’s resources, and people should be made aware of it and given the chance to opt out. The technique has been used for ages – the Great Internet Mersenne Prime Search of 1996 was the first example we could think of.
This year has seen an explosion in the number of software applications and websites hosting such miners, mainly from Coin Hive. That outfit had hoped site owners would embed its free code to make money from visitors’ spare processor cycles as an alternative to displaying ads. And websites have albeit surreptitiously. The Pirate Bay was one – although it coughed to the mining after being caught out – and other sites in the torrenting and pornography annexes of the internet make frequent use of mining software to defray costs.
More and more websites are mining crypto-coins in your browser to pay their bills, line pockets
Hackers have also moved into the area, by cracking popular websites, installing miners on popular pages, and then reaping the illicit profits. CBS’ Showtime website, as well as the Pulitzer-Prize winning Politifact, have both had miners installed after hacking attacks.
Coin Hive has recently responded to criticism, and stopped developing its easily concealable miner in favor of a new one, dubbed AuthedMine, which asks for permission before mining. But others actively eschew this approach.
Crypto-Loot, launched earlier this month, actively advertises itself as undetectable and stealthy. Basically, you can run it on a browser to mine Monero quietly, and without requiring user consent. It claims “our miner on your website will go unnoticed by users after they click run if you set threads between 2-4,” on its website, adding “we aren’t going to tell you how to run your business.”
Thankfully, security software vendors are getting wise to this – Malwarebytes, ad blockers, and other anti-malware packages have already blocked Coin Hive and similar software will be added to its kill list. But in the meantime there are going to be a lot of stressed and slow computers online as the unethical take CPU cycles without asking. ®
The Joy and Pain of Buying IT – Have Your Say