My favorite website scanning services

In my research, I primarily use two publicly available website scanning services: urlscan.io and Sucuri SiteCheck. These tools allow me to quickly locate malicious code, which usually consists of Coinhive. However, many other types of cryptocurrency mining scripts are in use today.

While Coinhive remains the market leader for now, their dominance in the cryptojacking “industry” has declined in 2018.

I recently documented how to find cryptojacking malware and recommend it as an excellent use case for the services offered by PublicWWW.

Website Scanning Services

My first choice for scanning and archiving a website’s source code is urlscan.io. I’ve provided many examples of how valuable this service in on Twitter.

Cryptojacking detection was added to urlscan.io early in January 2018. This enables you check if a website is engaging in malicious cryptocurrency mining, based on known signatures of cryptojacking malware (JavaScript).

It’s also a useful when you search for a URL to check if a website was previously infected.

Coinhive was found on the website of LonelyPlanet.com
The archived urlscan.io results show Coinhive was found on LonelyPlanet.com

In a recent example, the official website of travel guide book website Lonely Planet was compromised to run Coinhive. Despite numerous contact attempts, I received no confirmation or denial from Lonely Planet regarding this incident. However, based on the Archive.org copy of the affected JavaScript library, Coinhive was removed sometime on or after March 7, 2018.

Another valuable tool for scanning websites for cryptojacking malware is Sucuri SiteCheck. Sucuri is a security company, owned by GoDaddy, that I have no affiliation with. I do however like using their website scanning service.

Sucuri SiteCheck

This scanning service helps you quickly locate the source of the malicious code. Other forms of malware can be detected by Sucuri’s scanner and isn’t limited to cryptojacking.

Sucuri SiteCheck

In this example, the website is infected with malware that redirects users to a tech support scam site. The offending code is easy to find thanks to the results presented by Sucuri. Sadly, this was only one of many Drupal sites that were recently exploited.

Closing Remarks

While Coinhive’s market share has declined in 2018, cryptojacking malware as a whole remains a persistent threat.

To stop cryptojacking in your browser, I recommend using a dedicated extension, minerBlock, to block cryptojacking malware.

If you use other forms of blocking, such as Pi-hole, you can use the blocklist provided by CoinBlockerLists, which is frequently updated with the domains and IPs used by coinmining malware and illicit cryptomining operations.

As always, I’m most active on Twitter — follow me @bad_packets

Also, be sure to check out my Mirai-like botnet data website!

Leave a Reply