My favorite website scanning services

In my research, I primarily use two publicly available website scanning services: urlscan.io and Sucuri SiteCheck. These tools allow me to quickly locate malicious code, which usually consists of Coinhive. However, many other types of cryptocurrency mining scripts are in use today.

While Coinhive remains the market leader for now, their dominance in the cryptojacking “industry” has declined in 2018.

I recently documented how to find cryptojacking malware and recommend it as an excellent use case for the services offered by PublicWWW.

Website Scanning Services

My first choice for scanning and archiving a website’s source code is urlscan.io. I’ve provided many examples of how valuable this service in on Twitter.

Cryptojacking detection was added to urlscan.io early in January 2018. This enables you check if a website is engaging in malicious cryptocurrency mining, based on known signatures of cryptojacking malware (JavaScript).

It’s also a useful when you search for a URL to check if a website was previously infected.

Coinhive was found on the website of LonelyPlanet.com
The archived urlscan.io results show Coinhive was found on LonelyPlanet.com

In a recent example, the official website of travel guide book website Lonely Planet was compromised to run Coinhive. Despite numerous contact attempts, I received no confirmation or denial from Lonely Planet regarding this incident. However, based on the Archive.org copy of the affected JavaScript library, Coinhive was removed sometime on or after March 7, 2018.

Another valuable tool for scanning websites for cryptojacking malware is Sucuri SiteCheck. Sucuri is a security company, owned by GoDaddy, that I have no affiliation with. I do however like using their website scanning service.

Sucuri SiteCheck

This scanning service helps you quickly locate the source of the malicious code. Other forms of malware can be detected by Sucuri’s scanner and isn’t limited to cryptojacking.

Sucuri SiteCheck

In this example, the website is infected with malware that redirects users to a tech support scam site. The offending code is easy to find thanks to the results presented by Sucuri. Sadly, this was only one of many Drupal sites that were recently exploited.

Closing Remarks

While Coinhive’s market share has declined in 2018, cryptojacking malware as a whole remains a persistent threat.

To stop cryptojacking in your browser, I recommend using a dedicated extension, minerBlock, to block cryptojacking malware.

If you use other forms of blocking, such as Pi-hole, you can use the blocklist provided by CoinBlockerLists, which is frequently updated with the domains and IPs used by coinmining malware and illicit cryptomining operations.

As always, I’m most active on Twitter — follow me @bad_packets

Also, be sure to check out my Mirai-like botnet data website!

Mirai-like Botnet One Year Review and a New Website!

In February 2017, I started my passive honeypot and began listening for all incoming network traffic. As the months passed, I saw numerous exploit attempts, constant port scans, and other suspicious traffic. It wasn’t until October that, with the help of Dr. Neal Krawetz, I started cataloging Mirai-like botnet traffic specifically.

What does Mirai-like mean?

Incoming scans from Mirai-like botnets have a very distinct fingerprint in the network traffic generated by infected hosts. The TCP sequence number will always equal the IP address of the target device. This intentional behavior is documented in the original Mirai source code, shown in the snippet below:

Snippet of Mirai source code

Typically, the target IP address is encoded in decimal (numeric) format. As the target IP changes, the Sequence Number of the traffic coming from the infected host will change accordingly as shown in the example below:

Example showing TCP Sequence Number = Destination IP address

Your logs may vary and instead record the sequence number in hexadecimal format. Either way, once converted to an IP address, the pattern is clearly established.

Dr. Krawetz shared his thoughts on this technique, “This is actually kind of brilliant. Each bot slings out packets and doesn’t store any information. When a response comes back, the botnet can identify the sender by the sequence number. ”

Once the fingerprint of the Mirai-like botnet was established, I was able to review the IP addresses found my logs for further patterns. Late in October 2017, I shared my findings of a botnet consisting of EnGenius routers.

Instead of continuing to isolate specific devices in the botnet and the volume of traffic generated, I began cataloging new unique IP addresses while noting the network provider (ASN) and country they came from. This allowed me to gauge the growth rate and estimate the size of active botnets. Subsequently, I started sharing my Mirai-like botnet statistics daily on Twitter.

One Year of Data Collected

New unique IP addresses seen Mirai-like botnet from 2017-02-19 to 2018-02-19

Reviewing the entire dataset I collected, the overall Mirai-like botnet volume averaged around 500 new unique IP addresses per day in March 2017 and steadily declined until September 2017. After this point, a surge in botnet activity was observed. The most new unique IP addresses I saw in a single day was 1,384 on November 29.

The explosion in activity was largely attributed to the Satori botnet which enslaved devices in Argentina, Egypt, Colombia, and Tunisia. This botnet grew exponentially after a zero day exploit was used to target Huawei HG532 routers. Numerous devices from Japan were also found after a UPnP exploit targeting Realtek devices was used.

During the height of the activity between November 22nd and December 7th, those countries accounted for a large share of the new unique IP addresses found.

New Unique IPs seen in Mirai-like botnet from 2017-11-22 to 2017-12-07 by Country

Similarly, network providers (ASNs) from Colombia, Egypt, and Argentina combined for 39% of all new unique IP addresses seen during this time period.

New Unique IPs seen in Mirai-like botnet from 2017-11-22 to 2017-12-07 by ASN

Growing Pains

The challenge of collecting and sharing the Mirai-like botnet data every day quickly became apparent. A publicly shared Google Sheet was not a long term option, so I asked my Twitter followers for assistance building a proper solution.

Alex Rhodes rose to the challenge and offered his time and expertise to build a database backend to store the data. He also designed and implemented a website for sharing the botnet data. Alex is software engineer in the aerospace industry and is currently working towards a Master’s degree in Cybersecurity at Syracuse University.

The new website is easy to configure and manage and I’m truly grateful for the finished product Alex has delivered. Read more about Alex’s work on this project here.

Mirai.BadPackets.net

New website: mirai.badpackets.net

The new website offers filtering options for every field, including IP Address, Country, ASN, and date range. It also expands on the features formerly offered in the spreadsheet, including the following lookups:

IP address (DomainTools)
ASN (Hurricane Electric BGP Toolkit)
Shodan
Censys
ZoomEye

In addition to the main page, which is updated daily, we can also filter by the top ASN and country for a specified time period. Using this, we can review the all-time leaders for the entire year of Mirai-like botnet data collected.

China dominated the count of unique IPs seen with 27,672. India and Brazil both had over 10,000 unique IPs each. Japan and Argentina were close behind with over 9,000 unique IPs each. Russia and the United States were also among the top 10 countries with 7,801 and 5,045 unique IPs, respectively.

Top 10 Country

Continuing the trend, network providers China Telecom and China Unicom led in total overall volume, combining for a total of 23,243 unique IPs seen. Coming in third place was Telefonica de Argentina with 7,576 unique IPs. Rounding out the top five network providers in unique IPs seen was Rostelecom (Russia) with 5,407 and Tigo Colombia with 3,301.

Top 10 ASN

During the one year of data collection, I saw botnet traffic from 179 of the 195 recognized countries in the world. IP addresses registered to 5,581 unique network providers (ASNs) were also observed. It was clear that Mirai-like botnet activity was truly worldwide phenomenon.

Closing Remarks

The unique IPs seen by my honeypot is only a tiny fraction of those participating in active botnets. In the case with Satori botnet, other security researchers estimate the total size peaked around 650,000 infected devices.

The data provided via the new website will remain free and open to the public. I will continue to update it daily with my latest available data.

Follow me on Twitter to receive my daily Mirai-like botnet statistics update of new unique IPs seen, top ten countries and top five ASNs seen in the Mirai-like botnet.

How to find cryptojacking malware

Cryptojacking malware continues to spread across the web, largely due to the popularity of Coinhive. Since Coinhive’s launch in September 2017, numerous cryptojacking clones have come about.

The tool I’ve chosen to locate them with is PublicWWW. This is a search engine that indexes the entire source code of websites. I previously offered a comparison of their dataset versus other providers in my discussion of Coinhive malware specifically.

In this post, I detail how to find websites containing Coinhive, Crypto-Loot, CoinImp, and deepMiner in PublicWWW.

Let’s jump in and see how many sites with cryptojacking malware we can find!

Coinhive

Before we review some of the knock-offs, let’s look at the most synonymous name with cryptojacking, Coinhive. Finding this malware is relatively easy and various queries can be used to locate it. The original Coinhive JavaScript library used in cryptojacking is “coinhive.min.js” and we can start by simply searching for that. It’s important to search for the entire name in quotes to ensure an exact match is returned by PublicWWW.

PublicWWW search for "coinhive.min.js"

Using this query, we find 34,474 sites. While this may seem like an astounding number,  it’s only a modest increase since I wrote about the 30,000 sites found back in November 2017.

While this list of sites is great for an overview of sites with Coinhive malware, we can dig even deeper into PublicWWW’s dataset to extract the Coinhive site key used on each site. This can be done using regex to extract the site key as a snippet: “coinhive.min.js” snipexp:|CoinHive.Anonymous(‘?(w{32})’|i

PublicWWW search for "coinhive.min.js" snipexp:|CoinHive.Anonymous('?(w{32})'|i

Once the Coinhive site key is extracted, we can export the results and correlate which sites are part of a cryptojacking campaign. This correlation of a small number of Coinhive site keys to hundreds and even thousands of websites was documented in my previous post.

Recently I found a large cryptojacking campaign targeting 5,451 WordPress sites. In each case, the JavaScript containing Coinhive was hidden via obfuscation.

Example site found in WordPress cryptojacking campaign
The obfuscated JavaScript code is illegible and must be deobfuscated first to be human-readable.

While PublicWWW can’t search within the deobfuscated JavaScript itself, we can find a way to work around it.

PublicWWW search for sites found in large WordPress cryptojacking campaign.

To search for the affected sites, the following query, graciously crafted for me by VriesHd,  was used:

“[“(k” “\x43\x72\x79\x70\x74\x6f\x6e\x69\x67\x68\x74\x57\x41\x53\x4d\x57\x72\x61\x70\x70\x65\x72” snipexp:|(var _0x[0-z]{4}=)|

This query searches for the JavaScript function name used for the obfuscated code and then regex to extract a snippet of that name. This is useful to correlate the function name, such as “var _0xb70e” to the Coinhive site key used. Six unique keys were found to be used in this cryptojacking campaign:

Coinhive site key (function name)
DhGEVUgOoquJP68XByYLFs0nRVV4gq4J (0xb70e)
bbgnHTSmMLKUMaQzNa3Yfoul34A3cACd (0xbcba,0xe2f6)
hg9mNsA2DPkqe1F9yCUyWXggnDyrPqVW (0x1b00)
T6Oy0x11TMdeZRjy684Xow4GNBpb07SK (0xf80b)
OQoqVYH65ER2Eg2xcmoVtv4qrcHP2Z7G (0xe4d0,0xb765,0xcc28)
VW8fWIsg9hjn47qBdmb0jImf7pDHmU28 (0x8f35)

In some cases the same Coinhive site key was associated to multiple functions, shown above.

Crypto-Loot

Crypto-Loot has steadily remained as one the most popular alternatives to Coinhive since its inception. Similar to Coinhive, Crypto-Loot doesn’t require any user interaction and can run steathlity in the background.

This is a prominent feature on Crypto-Loot’s marketing page, in addition to DDoS protection which is provided by Cloudflare.

Crypto-Loot is advertised to run secretly in the background while protected from DDoS attacks by Cloudflare.

Crypto-Loot uses two domain names for their cryptojacking operations:
crypto-loot.com
cryptoloot.pro

These domains can be queried in PublicWWW to locate the affected sites, and similar to the Coinhive, we can use regex to extract the site key used in each using this query: “CryptoLoot.Anonymous” snipexp:|CryptoLoot.Anonymous(‘?(w{44})’|i

PublicWWW search for  "CryptoLoot.Anonymous" snipexp:|CryptoLoot.Anonymous('?(w{44})'|i

Searching for strictly the two domains used, we find a total of 2,057 sites with Crypto-Loot present.

CoinImp

CoinImp is a relatively new player in the cryptojacking game, however a large increase in the number of sites where it has been seen has been found recently.

CoinImp uses four domain names for their cryptojacking operations:
coinimp.com
www.hashing.win
www.freecontent.bid
webassembly.stream

Interestingly, the reference to “www.hashing.win” previously found in CoinImp’s documentation was quietly removed sometime after 2017-12-20 and replaced with “www.freecontent.bid” as the illustrative example.

Screenshot captured of CoinImp's documentation page on 2017-12-20.
Screenshot captured of CoinImp’s documentation page on 2017-12-20.

Coincidentally, the most used CoinImp domain name, www.hashing.win, has been found by PublicWWW on a whopping 3,745 sites.

PublicWWW search for www.hashing.win

Since this was surprising number, I manually reviewed numerous sites and found that CoinImp had already been removed or another form of cryptojacking malware, such as Coinhive, had been placed. This leads me to believe the cryptojacking campaign perpetrator was using a short-lived method to place the CoinImp code.

Totaling the four CoinImp domain names used, we find a total of 4,119 sites.

Minr

Early in December 2017, I discovered a new form of cryptojacking malware called Minr. What differentiated this from the others is that it provided built-in obfuscation for its users. This wasn’t required however and many sites I found didn’t bother to use it.

Example site containing Minr malware
Example of a site containing Minr malware.

In addition, the domain names used by Minr were innocuous looking. The domain names also frequently changed, so anytime I shared an update it quickly became out of date.

Minr malware domains used on 2018-01-29

The domains used by Minr a week ago (shown above) have again have changed.

As of this writing, the active domains used by Minr in cryptojacking operations are:
cnt.statistic.date
cdn.static-cnt.bid
ad.g-content.bid
cdn.jquery-uim.download

Totaling the four Minr domain names currently used today, we find a total of 692 sites.

deepMiner

Unlike the other cryptojacking providers, deepMiner is self-hosted JavaScript. This means the code used to mine cryptocurrency is not hosted by a third-party service provider and instead placed directly on the website or domain controlled by the cryptojacking campaign operator. The repository of deepMiner’s source code can be found on GitHub.

While this might appear to be a roadblock in our search for sites containing, deepMiner, there is still a way to locate it. The secret in locating deepMiner lies in locating the function required for it to run, shown in the snippet below:

deepMiner code snippet

Now that we have this information, we can simply search PublicWWW for “deepMiner.Anonymous” to locate the affected websites.

PublicWWW search for "deepMiner.Anonymous"

This leads us to find 2,160 sites using deepMiner for cryptojacking purposes.

One site I found using deepMiner was a fake Chrome update website that advised users not to close the page. Meanwhile cryptojacking was happening in the background consuming 100% CPU of my test machine.

Fake Chrome update website running deepMiner malware
No, Chrome really isn’t updating.

Statistics Comparison

Coinhive remains the market leader for cryptojacking malware. However, many clones it inspired are showing exponential growth rates.

Websites found running Crypto-Loot, CoinImp, deepMiner, and Minr malware.

The four Coinhive clones discussed were found on a total of 9,028 websites. CoinImp had the largest market share at roughly 45% while Minr had the smallest at nearly 8%. Crypto-Loot and deepMiner shared the remaining portions at nearly 23% a piece.

Websites found running Coinhive and other cryptojacking malware.

However when compared to Coinhive by itself, the other cryptojacking malware providers only account for a modest 18% market share. I would expect Coinhive to remain in the top spot for the foreseeable future.

Closing Remarks

Coinhive is clearly the market leader when it comes to cryptojacking malware as it’s been found on nearly 40,000 websites.

For Chrome users, I recommend using a dedicated extension, minerBlock, to block cryptojacking malware. A Firefox version of this extension is available as well.

The cryptojacking malware discussed in this post is only a portion of what’s currently found in the wild. New variants are discovered frequently, which I share frequently on Twitter. You can also browse the CoinBlockerLists, which is constantly updated by ZeroDot1, where you can find hundreds of domains tied to cryptojacking malware.

The statistics shared in this post were generated from data provided by PublicWWW on 2018-02-07. They are subject to change as PublicWWW regularly updates their index.

Cryptojacking: 2017 Year-End Review

In 2017, we witnessed the rise of cryptojacking malware. A common target was compromised websites and their unsuspecting visitors.

How Cryptojacking Works
How cryptojacking works illustration by the European Union Agency for Network and Information Security (ENISA).

Cryptojacking begins after Coinhive or other malicious JavaScript cryptocurrency mining scripts are embedded in a compromised website. Unsuspecting visitors then begin mining the cryptocurrency Monero (XMR) in their browser.

This process is very intensive and can use all the CPU resources of the victim’s device. This leads to higher energy usage, rapid battery drain in mobile devices, and can cause damage from overheating.

Many well-known websites were compromised in 2017 with cryptojacking malware.

Showtime Networks

Coinhive found on Showtime's website
For an entire weekend in September, subscribers of Showtime’s video streaming website, Showtime Anytime, were subjected to cryptojacking.

Back in September, I was the first to document the cryptojacking incident of CBS’ Showtime Networks’ websites. Coinhive malware was found to be present on video streaming site ShowtimeAnytime.com for three straight days.

Showtime has refused to comment as to why the code appeared on their websites. While the Coinhive code was found in a New Relic code block, the company’s spokesman denied any responsibility in the matter.

Politifact 

Politifact's website hacked to run Coinhive malware
Hackers embedded Coinhive on Politifact’s website after compromising one of their AWS servers.

On October 13, Coinhive was found on the political fact-checking website Politifact. A compromised JavaScript library was found to be injecting the cryptojacking malware. The malicious code remained on the site for at least four hours before it was removed.

In a statement provided to The Wall Street Journal, PolitiFact Executive Director Aaron Sharockman stated, “Hackers were able to install their script on the fact-checking website after discovering a misconfigured cloud-computing server.”

UFC Fight Pass

UFC Fight Pass hosting Coinhive malware
The cryptojacking of UFC’s Fight Pass website went viral on Reddit as multiple users confirmed the presence of Coinhive.

Early in November, numerous users reported the subscription video streaming service of the UFC, dubbed Fight Pass, was running cryptojacking malware. A UFC.tv customer saved a copy of the source code (above) where Coinhive was found. However, in a statement released to me (below), the UFC denied the code was ever present on their website.

UFC statement regarding cryptojacking allegations

Crucial Memory and Everlast Worldwide

Coinhive found on the website of Crucial Memory

Coinhive on Everlast's website
The cryptojacking of Crucial Memory and Everlast’s website was due a compromised live help chat widget.

On Thanksgiving Day, I found a large cryptojacking campaign of 1,400+ websites. The two most nobables sites were of Crucial Memory and Everlast Worldwide. Normally you would never associate these two brands together,  however both their websites shared a similar embedded code — a live chat widget provided by LiveHelpNow. LiveHelpNow stated one of their CDN servers was compromised and injected with the cryptojacking malware Coinhive.

Globovisión and Movistar

Google Tag Manager was used to inject Coinhive on Globovision's website

Google Tag Manager was used to inject Coinhive on Movistar's website
Google Tag Manager was used to inject Coinhive on Movistar’s and Globovisión website.

In two separate incidents, I found Coinhive was injected into the websites of Globovisión and Movistar using Google Tag Manager. Movistar stated that Coinhive was not put on their website by a hacker, but instead was due to “an internal error” while they were conducting “pre-production tests.” No statement was provided by Globovisión on why the cryptojacking malware appeared on their site on November 15.

Chrome extension “Archive Poster”

Archive Poster Chrome extension infected with cryptojacking malware
Multiple users reported the cryptojacking behavior of the “Archive Poster” extension.

Cryptojacking was not limited to websites in 2017 as we saw Chrome extensions also being affected. One such extension, Archive Poster, remained on the Chrome Web Store for days while silently cryptojacking an unknown portion of their 100,000+ users.

Despite multiple user reports, Google’s response lacked any initiative to remove the malware infected extension. After I reported the issue to them, it was finally pulled.

Other sources of cryptojacking found

Coinhive is not the only the JavaScript cryptocurrency miner available for use. Many clones have popped up in its wake. Using PublicWWW, I was able to find how many websites were using a copycat.

JavaScript cryptocurrency miners
Non-Coinhive JavaScript cryptocurrency miners found on 2017-12-24.

One of the up-and-coming Coinhive knockoffs, Minr, offers built-in obfuscation and uses multiple domain names to evade detection.

Domains used by Minr malware change frequently.

Other notable cryptojacking malware discoveries in 2017

— Being found on nearly 2,500 ecommerce websites
— Masquerading as a jQuery file on 4,000 websites
— Concealed with hidden browser window mining
— Even a Starbucks WiFi provider was found running Coinhive

Heading into 2018, the question remains how to stop the spread of cryptojacking malware. Luckily we have seen anti-mining browser extensions, such as No Coin and MinerBlock, developed to help curb the threat. Another popular ad blocker, uBlock Origin, blocks most cryptojacking scripts now as well. Many anti-malware applications, such as Malwarebytes, have started blocking the effects of cryptojacking.

Cryptojacking malware Coinhive found on 30,000+ websites

Since first going mainstream with The Pirate Bay and Showtime, cryptojacking has quickly become a favorite revenue stream for cybercriminals. Cryptojacking typically begins after Coinhive (JavaScript code) is embedded on a compromised website. Unsuspecting visitors then begin mining the cryptocurrency Monero (XMR) in their browser.

How Cryptojacking Works
How cryptojacking works illustration by the European Union Agency for Network and Information Security (ENISA).

The longer the Coinhive script stays on a compromised site, in addition to the amount/duration of visitors, directly correlates to the profitably of the cryptojacking session. However, the operating cost is still nearly zero for the threat actor (hacker) planting the script. The processing burden of Coinhive is solely laid upon the client (end user). This leads to rapid battery drain and higher energy costs for the afflicted devices.

So how many websites have Coinhive embedded in them? This answer varies depending on the search engine used. To test, I searched for the name of the Coinhive JavaScript library, “coinhive.min.js” via four search engines: Censys, PublicWWW, Shodan, and ZoomEye. The following amount of Coinhive sites were found on 2017-11-04

Censys: 1,640
PublicWWW: 30,611
Shodan: 941
ZoomEye: 474

Since PublicWWW presented the most results, I chose their dataset to analyze. I began cataloging the domain names found by extracting the Coinhive Site Key from each site. Once this was completed, I was able to correlate a single site key to multiple Coinhive infested sites.

NOTE: I also used my own tools to independently verify the PublicWWW results. I felt confident in the data they provided after I had scanned the top  11,000 Coinhive infected sites myself and correlated the results.

The amount of websites tied to one Coinhive Site Key was somewhat astounding. This correlation was also recently noted by security researcher, Willem de Groot. He found 2,496 infected online stores, of which 85% were linked to only two Coinhive accounts.

The most used Coinhive Site Key I found was:
M1p4TkON5Kvu3hk5ePbaBnl7WwsF8bhK

This one key was used on 4,722 sites. Almost all of the sites used the top-level domain “.ir” (ccTLD for Iran). Most of the domain names were four characters long consisting of only random numbers or three characters long consisting of only random words.

Example “numbers only” domains:
1906.ir
3394.ir
8424.ir

Example “letters only” domains:
uag.ir
fuv.ir
bdy.ir

Example “other” domains:
baidu.ir
billionaire.ir
daytona.ir

All domains were registered to a “Mohammad Khezri” of Iran. A reverse WHOIS search on DomainTools.com shows 6,040 domains are registered to him. These domains appeared to be parked using service called DNS4.IR that uses Coinhive to monetize the traffic.

Other individual Coinhive Site Keys were associated to a large amount of domain names. Site keys that were found on 100+ domains are shown below. I sampled the content of a handful of sites found for each key. I also looked for trends in the Nameservers (NS) used for each domain. This allowed me to get a general idea of the “theme” of each Coinhive Site Key used.

Coinhive Site Keys found on 100+ domains organized by total domains associated.

Overall, the bulk of the sites were either compromised websites or parked domains. The third-most used key no longer appeared to be actively engaged in cryptojacking and simply redirected to Bing.com.

The range of compromised sites varied greatly due to the sheer volume. Some notable and humorous sites that I encountered included:

Papa John’s Pizza – Puebla, Mexico

Papa John's Pizza - Puebla, Mexico

National  Association of Doctors

National  Association of Doctors

In addition to Coinhive, a fake online pharmacy was found on their website.

National  Association of Doctors fake online pharmacy

Deposit Insurance of VietNam – Vietnamese equivalent of the FDIC

Vietnamese equivalent of the FDIC, Deposit Insurance of VietNam

Ortel Communications (AS23772) – Large ISP in India

Ortel Communications

MacbookWarmer.com – “Stay Warm Whenever and Wherever”

MacbookWarmer.com

While this one is clearly a well-thought-out spoof, cryptojacking is no laughing matter.

MacbookWarmer.com - About

A PublicWWW search shows 4,260 WordPress sites are running Coinhive. A “weather widget” plugin was recently banned from the WordPress plugin repository, however other cryptojacking plugins are still available for site operators to utilize.

Various techniques have been used to spread the Coinhive infestation further, from Android apps to an open Amazon S3 bucket of Politifact.com.

Coinhive is not the only JavaScript miner available for cryptojacking use. Many competitors have popped up in its wake. Using PublicWWW, I found JSECoin was in a distant second place behind Coinhive on 905 websites.

Non-Coinhive Miners Pie Chart

Non-Coinhive JavaScript cryptocurrency miners found on PublicWWW:
JSEcoin: 905
Crypto-Loot: 123
AFMiner: 77
ProjectPoi (PPoi): 50
Coinhave: 43
Coinerra: 11
MineMyTraffic: 3
Papoto: 1

It’s clear the cryptojacking frenzy will continue into the near future. To protect yourself from cryptocurrency mining scripts while browsing, I recommend using any of the following Chrome extensions:

minerblock
uBlock Origin
ScriptSafe

Many anti-malware applications also block cryptojacking scripts, such as Malwarebytes and Avast.

A request has been made to Google Developers to add functionality in Chrome itself to block malicious JavaScript usage. Anyone can comment to share their feedback with Google here.

In the meantime, I will continue to monitor reports of cryptojacking while reviewing new Coinhive sites found daily.

For the latest updates on this topic, follow me on Twitter @bad_packets.