In my research, I primarily use two publicly available website scanning services: urlscan.io and Sucuri SiteCheck. These tools allow me to quickly locate malicious code, which usually consists of Coinhive. However, many other types of cryptocurrency mining scripts are in use today.
Here's the total number of websites found with a non-#Coinhive cryptocurrency mining script.
DeepMiner: 6,813
CoinImp: 2,131
Crypto-Loot: 1,555
JSEcoin: 1,410
Minr: 787Not pictured:
ProjectPoi (PPoi): 225
CoinNebula: 21
CoinRail: 7Source: @publicww pic.twitter.com/OW3fYc3RM0
— Bad Packets Report (@bad_packets) April 19, 2018
While Coinhive remains the market leader for now, their dominance in the cryptojacking “industry” has declined in 2018.
I recently documented how to find cryptojacking malware and recommend it as an excellent use case for the services offered by PublicWWW.
Website Scanning Services
My first choice for scanning and archiving a website’s source code is urlscan.io. I’ve provided many examples of how valuable this service in on Twitter.
#Coinhive found on @latimes "The Homicide Report"
Luckily this case of #cryptojacking is throttled and won't murder your CPU.
Using @urlscanio we find Coinhive hiding in:
http://latimes-graphics-media.s3.amazonaws[.]com/js/leaflet.fullscreen-master/Control.FullScreen.js pic.twitter.com/VOv5ibUtwJ— Bad Packets Report (@bad_packets) February 21, 2018
Here's another case of #Coinhive showing up in an AWS S3 bucket.
Using @urlscanio we find the #cryptojacking malware is injected into @HipHopDX's website via:
https://s3.amazonaws[.]com/hiphopdx-production/assets/prod/js/comments.min.js?v11 pic.twitter.com/OmjkiQiA4y— Bad Packets Report (@bad_packets) February 26, 2018
Cryptojacking detection was added to urlscan.io early in January 2018. This enables you check if a website is engaging in malicious cryptocurrency mining, based on known signatures of cryptojacking malware (JavaScript).
#Cryptojacking malware detection has been added to @urlscanio. When found, a warning message is displayed. Further details are shown on the specific type found, such as #Coinhive or Crypto-Loot.https://t.co/QV7jUgKQXr pic.twitter.com/PDRgoGHSib
— Bad Packets Report (@bad_packets) January 8, 2018
It’s also a useful when you search for a URL to check if a website was previously infected.
In a recent example, the official website of travel guide book website Lonely Planet was compromised to run Coinhive. Despite numerous contact attempts, I received no confirmation or denial from Lonely Planet regarding this incident. However, based on the Archive.org copy of the affected JavaScript library, Coinhive was removed sometime on or after March 7, 2018.
Another valuable tool for scanning websites for cryptojacking malware is Sucuri SiteCheck. Sucuri is a security company, owned by GoDaddy, that I have no affiliation with. I do however like using their website scanning service.
This scanning service helps you quickly locate the source of the malicious code. Other forms of malware can be detected by Sucuri’s scanner and isn’t limited to cryptojacking.
In this example, the website is infected with malware that redirects users to a tech support scam site. The offending code is easy to find thanks to the results presented by Sucuri. Sadly, this was only one of many Drupal sites that were recently exploited.
Massive #Drupal infection that redirects to "Tech Support" scam via "js.localstorage[.]tk" https://t.co/30ZeLIyfza pic.twitter.com/ZCPMepM74k
— Denis (@unmaskparasites) April 24, 2018
Closing Remarks
While Coinhive’s market share has declined in 2018, cryptojacking malware as a whole remains a persistent threat.
To stop cryptojacking in your browser, I recommend using a dedicated extension, minerBlock, to block cryptojacking malware.
If you use other forms of blocking, such as Pi-hole, you can use the blocklist provided by CoinBlockerLists, which is frequently updated with the domains and IPs used by coinmining malware and illicit cryptomining operations.
As always, I’m most active on Twitter — follow me @bad_packets
Also, be sure to check out my Mirai-like botnet data website!