Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Ever Malvertising Campaign Uses JavaScript To Mine Cryptocurrencies In Your Browser (bleepingcomputer.com)

Posted by BeauHD on from the first-of-its-kind dept.

An anonymous reader writes from a report via Bleeping Computer: Malware authors are using JavaScript code delivered via malvertising campaigns to mine different cryptocurrencies inside people's browsers (mostly Monero), without their knowledge. The way crooks pulled this off was by using an online advertising company that allows them to deploy ads with custom JavaScript code. The JavaScript code is a modified version of MineCrunch (also known as Web Miner), a script released in 2014 that can mine cryptocurrencies using JavaScript code executed inside the browser. Cryptocurrency mining operations are notoriously resource-intensive and tend to slow down a user's computer. To avoid raising suspicion, crooks delivered malicious ads mainly on video streaming and browser-based gaming sites (currently mostly Ukrainian and Russian sites). Both types of sites use lots of resources, and users wouldn't get suspicious when their computer slowed down while accessing the site. Furthermore, users tend to linger more on browser games and video streaming services, allowing the mining script to do its job and generate profits for the crooks.

6 of 70 comments (clear)

  1. Re:Got to say by TheRaven64 · · Score: 3, Interesting

    I've noticed that a lot of web sites now cause my browser to ask me if I trust them to run WebGL code for no obvious reason (I don't, because I've worked on GPU drivers, and there's no way I'd trust them with potentially malicious code, even if it has had some token WebGL verification). JavaScript is fairly slow, but WebGL and WebCL let JavaScript run shader code on your GPU.

    Most cryptocurrency mining is probabilistic: you only win on average by having the most compute, each step involves trying a possible solution and hopefully getting lucky. If you try enough solutions in parallel, you'll probably find the correct one before anyone else. Even if each person only gives you 30 seconds of GPU time, that's still a lot if you can infect a few million people.

    I seem to recall a browser-based game a few years ago that used this exact business model: as you play the game, it mined bitcoin in the background on your GPU, which paid for the game.

    --
    I am TheRaven on Soylent News
  2. Let's replace adverts with this. by Anonymous Coward · · Score: 3, Interesting

    Why can't websites replace adverts with this, working for them?

    That seems like a perfect way to get micro-transactions in a website without any micro-transaction having to occur, and it scales with time spent on the website.

  3. Could we find a legitimate use for this idea? by 91degrees · · Score: 4, Interesting

    Micropayments have never caught on because they're a pain to deal with. People might be willing to spend some of their CPU time though. They don't object too much to doing the millions of operations required for a few seconds of video (the objection is more the annoyance of the video itself)

    I suspect CPU time is not valuable enough to make this sort of thing viable but maybe I'm wrong.

    1. Re:Could we find a legitimate use for this idea? by hord · · Score: 4, Interesting

      There are tons of distributed projects where people donate CPU time. It has value for communities of people that like to work on common computational goals. Examples are SETI, distributed.net, and folding@home. Here is Wikipedia's list:

      https://en.wikipedia.org/wiki/...

      I ran a Pentium 200MHz overclocked to 250MHz for several years straight (along with many other machines) trying to crack RC5-64 years ago. Lots of fun.

    2. Re:Could we find a legitimate use for this idea? by 91degrees · · Score: 4, Interesting

      Yup, and those are great. I approve of the aspirational ideals.

      But I'm thinking of the more commercial aspects. For example, while I have no complaints about CGI movies, I'm not going to donate my CPU time to help make one. A company might be willing to pay me a fraction of a cent for rendering a few pixels though. I don't want that fraction of a cent. I do, however, want to be able to read websites without annoying popup ads. The website owner, with thousands of impressions per page per day would like that fraction of a cent for each page.

      So the computer animation company pays the website some money to run a few seconds rendering time on my PC. I get the web-page for a negligible increase in power costs, and the computer animation company gets some pixels. Multiply that by a few hundred thousand users. They all get the information they want, the computer animation company gets several frames rendered, and the website owner gets money.

  4. Re:Got to say by angel'o'sphere · · Score: 3, Interesting

    Could have answered to you plus + answer ;D
    But here it fits better.

    First of all: JavaScript is since a decade no longer as slow as people think. Nearly all browsers optimize it and jit compile it to assembly.

    Secondly: http://gpu.rocks/

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.