In my research, I primarily use two publicly available website scanning services: urlscan.io and Sucuri SiteCheck. These tools allow me to quickly locate malicious code, which usually consists of Coinhive. However, many other types of cryptocurrency mining scripts are in use today.
Here's the total number of websites found with a non-#Coinhive cryptocurrency mining script.
ProjectPoi (PPoi): 225
— Bad Packets Report (@bad_packets) April 19, 2018
While Coinhive remains the market leader for now, their dominance in the cryptojacking “industry” has declined in 2018.
Website Scanning Services
My first choice for scanning and archiving a website’s source code is urlscan.io. I’ve provided many examples of how valuable this service in on Twitter.
Luckily this case of #cryptojacking is throttled and won't murder your CPU.
Using @urlscanio we find Coinhive hiding in:
— Bad Packets Report (@bad_packets) February 21, 2018
Here's another case of #Coinhive showing up in an AWS S3 bucket.
Using @urlscanio we find the #cryptojacking malware is injected into @HipHopDX's website via:
— Bad Packets Report (@bad_packets) February 26, 2018
#Cryptojacking malware detection has been added to @urlscanio. When found, a warning message is displayed. Further details are shown on the specific type found, such as #Coinhive or Crypto-Loot.https://t.co/QV7jUgKQXr pic.twitter.com/PDRgoGHSib
— Bad Packets Report (@bad_packets) January 8, 2018
It’s also a useful when you search for a URL to check if a website was previously infected.
Another valuable tool for scanning websites for cryptojacking malware is Sucuri SiteCheck. Sucuri is a security company, owned by GoDaddy, that I have no affiliation with. I do however like using their website scanning service.
This scanning service helps you quickly locate the source of the malicious code. Other forms of malware can be detected by Sucuri’s scanner and isn’t limited to cryptojacking.
In this example, the website is infected with malware that redirects users to a tech support scam site. The offending code is easy to find thanks to the results presented by Sucuri. Sadly, this was only one of many Drupal sites that were recently exploited.
— Denis (@unmaskparasites) April 24, 2018
While Coinhive’s market share has declined in 2018, cryptojacking malware as a whole remains a persistent threat.
To stop cryptojacking in your browser, I recommend using a dedicated extension, minerBlock, to block cryptojacking malware.
If you use other forms of blocking, such as Pi-hole, you can use the blocklist provided by CoinBlockerLists, which is frequently updated with the domains and IPs used by coinmining malware and illicit cryptomining operations.
As always, I’m most active on Twitter — follow me @bad_packets
Also, be sure to check out my Mirai-like botnet data website!