Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Ever Malvertising Campaign Uses JavaScript To Mine Cryptocurrencies In Your Browser (bleepingcomputer.com)

Posted by BeauHD on from the first-of-its-kind dept.

An anonymous reader writes from a report via Bleeping Computer: Malware authors are using JavaScript code delivered via malvertising campaigns to mine different cryptocurrencies inside people's browsers (mostly Monero), without their knowledge. The way crooks pulled this off was by using an online advertising company that allows them to deploy ads with custom JavaScript code. The JavaScript code is a modified version of MineCrunch (also known as Web Miner), a script released in 2014 that can mine cryptocurrencies using JavaScript code executed inside the browser. Cryptocurrency mining operations are notoriously resource-intensive and tend to slow down a user's computer. To avoid raising suspicion, crooks delivered malicious ads mainly on video streaming and browser-based gaming sites (currently mostly Ukrainian and Russian sites). Both types of sites use lots of resources, and users wouldn't get suspicious when their computer slowed down while accessing the site. Furthermore, users tend to linger more on browser games and video streaming services, allowing the mining script to do its job and generate profits for the crooks.

6 of 70 comments (clear)

  1. Re:Got to say by AmiMoJo · · Score: 3, Insightful

    But how much currency can it mine?

    How long are ads displayed for? Probably not long in most cases. Many browsers, especially Chrome, throttle Javascript or even stop it running entirely to save energy when the user isn't interacting with the page. And Javascript isn't exactly known for its high performance when it comes to maths.

    A lot of processing will be wasted. Anything that ends before the minimum work unit that can be saved is complete is lost.

    If they are mining a popular currency the chances are Javascript running on a CPU will to too slow to earn anything significant. If they are mining a less popular currency it is now tainted by malware and unlikely to ever be worth much.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Re:Got to say by Nutria · · Score: 5, Insightful

    And Javascript isn't exactly known for its high performance when it comes to maths.

    That was my first thought. People spend so much on top-tier GPUs for mining, and these guys go for JS.

    I bet the malware guys are using this as a proof-of-concept for something else.

    --
    "I don't know, therefore Aliens" Wafflebox1
  3. Re: Crooks? by Boutzev · · Score: 5, Insightful

    If an ad runs on your computer without authorization - it uses your computer's resources too. Is that somehow different just because ads waste less resources than mining ? What about a mining script that uses less ressources than the standard video ad - would they still be crooks ?

    While I don't agree with anyone running code on a user's station without authorization, there isn't much difference between this and a common ad. Both should be illegal if you ask me. But if those guys are crooks - then what would Google Adwords be ?

  4. Re:Got to say by geekmux · · Score: 3, Insightful

    And Javascript isn't exactly known for its high performance when it comes to maths.

    That was my first thought. People spend so much on top-tier GPUs for mining, and these guys go for JS.

    I bet the malware guys are using this as a proof-of-concept for something else.

    How many people have a JS enabled-browser installed vs. how many people have top-tier GPUs installed?

    The performance all comes down to volume. And with Bitcoin valued at over $3000, I doubt that something else needs be a motivator.

  5. Shame on the ad network by cdwiegand · · Score: 3, Insightful

    What advertising network? They should be known, publicly shamed, and every website operator should know not to do business with them.

    Honestly, I wish there was a way for me to report an ad that's violating browser rules. I hate when I go to a real newspaper site that uses ads, and I get served an ad that takes over the whole window, hiding stuff behind, but there's no way for me, on my phone / tablet, to know who served the ad or report the ad placement. Makes me want to block all ads everywhere on my personal devices and networks, but THAT comes with issues because many sites and even many mobile apps refuse to function if they can't talk to the ad networks and/or Google/Adobe/etc..

    --
    . Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
  6. Re:Got to say by geekmux · · Score: 3, Insightful

    I'll repeat again: when you stop browsing, any partial work disappears.

    The world never stops browsing, but people do.

    This is exactly why I mentioned streaming services. You can probably get some considerable crunching done when the word "binge" is often used to describe browser session times. Wouldn't be surprised one bit if the next YouTube/Netflix app upgrade comes with a few extra lines of JS.

    On top of that, I'll give it about another HFT micro-second before someone realizes the value of breaking up JS cryptomining assignments into 60-second chunks to try and counteract that "partial" work problem, and take advantage of this distributed mining model. Or perhaps they'll wrap this around something that is always running in the background; you've only got about 1,000 opportunities to do this with Win10 telemetry services...