Slashdot Mirror

← Back to Stories (view on slashdot.org)

Showtime Websites Are Mining Monero With Your CPU, Unclear If Hack Or Experiment (bleepingcomputer.com)

Posted by msmash on from the watch-out dept.

An anonymous reader writes: Two Showtime domains are currently loading and running Coinhive, a JavaScript library that mines Monero using the CPU resources of users visiting Showtime's websites. The two domains are showtime.com and showtimeanytime.com, the latter being the official URL for the company's online video streaming service. It is unclear if someone hacked Showtime and included the mining script without the company's knowledge. Showtime did not respond to a request for comment, but it could be an experiment as the setThrottle value is 0.97, meaning the mining script will remain dormant for 97% of the time. Despite this, Coinhive has been recently adopted by a large number of malware operations, such as malvertisers, adware developers, rogue Chrome extensions, and website hackers, who secretly load the code in a page's background and make money off unsuspecting users. At least two ad blockers have added support for blocking Coinhive's JS library -- AdBlock Plus and AdGuard -- and developers have also put together Chrome extensions that terminate anything that looks like Coinhive's mining script -- AntiMiner, No Coin, and minerBlock.

The Pirate Bay recently ran tests using Coinhive. A recent report has calculated that a site like The Pirate Bay could make around $12,000 per month by mining Monero in the background.

54 of 149 comments (clear)

  1. Still think NoScript is optional? by Anonymous Coward · · Score: 2, Insightful

    Firefox, you will be missed.

  2. The site doesn't make money. Users lose money. by Anonymous Coward · · Score: 5, Insightful

    A recent report has calculated that a site ... could make around $12,000 per month by mining Monero in the background.

    It's not really a case of the site making money. They haven't actually produced anything of real value, so wealth hasn't been created. All they've done is consumed the computing and electricity resources of the site's users, and converted them to an entry in some distributed database. Overall, it's a net economic loss. Resources were consumed without producing anything of value.

    At least advertising, as shitty as it is, can potentially result in a sale, which is an example of actual wealth creation.

    1. Re:The site doesn't make money. Users lose money. by Rick+Schumann · · Score: 1

      This is one thought I immediately had: So far as I know, it takes some serious computing power to 'mine' any sort of cryptocurrency; dedicated, FPGA-based platforms have been purpose-built for it. Direct machine code running on a general-purpose CPU is a pale substitute for this, and Javascript is slow and bloated compared to that, and the code would only be running so long as you had a webpage open? I have a hard time seeing how it would 'mine' much of anything.

    2. Re:The site doesn't make money. Users lose money. by bluefoxlucid · · Score: 1

      They haven't actually produced anything of real value, so wealth hasn't been created.

      Why are people consuming the site's content?

      --
      Support my political activism on Patreon.
    3. Re:The site doesn't make money. Users lose money. by Anubis+IV · · Score: 1, Insightful

      My (admittedly limited) understanding of cryptocurrency mining is that it actually does produce value, in that the mining process itself is what's responsible for distributing, verifying, and otherwise maintaining the blockchain on which the currency is built. Which is to say, miners are the ones facilitating the use of the currency. It's actually part of what makes cryptocurrencies work so well, since the very act of maintaining the currency is both distributed and incentivized.

      All of which is to say, mining isn't just a matter of spinning one's wheels without purpose. It produces value for the people making use of that currency.

    4. Re: The site doesn't make money. Users lose money. by bluefoxlucid · · Score: 2

      Entertainment is bad, and we should all work to produce boring but necessary things.

      So, you're Mormon?

      --
      Support my political activism on Patreon.
    5. Re: The site doesn't make money. Users lose money. by Qzukk · · Score: 2

      That, or a Marxist. Time wasted on frivolities means less that can be taken from you according to your abilities.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    6. Re:The site doesn't make money. Users lose money. by Rick+Schumann · · Score: 4, Interesting

      The real question is, I guess: Is this better or worse than ads? Pretty much everyone hates ads. This, ostensibly, would run silently in the background. If you're informed it's happening, and making a very broad assumption that there isn't going to be any malicious code being executed (implies they protect it from being hacked/repurposed into something malicious) is it a better solution for funding websites instead of ads?

    7. Re:The site doesn't make money. Users lose money. by PopeRatzo · · Score: 1

      All of which is to say, mining isn't just a matter of spinning one's wheels without purpose. It produces value for the people making use of that currency.

      Based on your description of how virtual currency mining creates value, then couldn't we also create value by adding a zero to the end of our bank balances?

      Or more specifically, by having only people with fancy computers add a zero to their bank balances.

      --
      You are welcome on my lawn.
    8. Re:The site doesn't make money. Users lose money. by ctilsie242 · · Score: 1

      I wonder if websites might move to a proof of work model, where their miner would have to execute for n cpu cycles for access to pages to be granted. I can see this becoming an alternative to advertising, especially with smartphone CPUs so relatively fast.

    9. Re:The site doesn't make money. Users lose money. by Anubis+IV · · Score: 1

      No, because in your example there's no correlation between the people adding 0s to their bank account and the people facilitating financial transactions. You're talking about paying people for doing nothing to aid the operation of the system, whereas I was talking about paying the people who facilitate the operation of the financial system.

      If you'd like an actual example of this sort of thing in the real world, look no further than banks, ACH, and other financial institutions who facilitate the transfer of money. We pay them in various ways for the services they render. The big difference with cryptocurrencies is that the people facilitating transfers (i.e. miners) are paid directly via mechanisms built into the cryptocurrency's architecture, rather than via fees and interest that they have to collect themselves. In any financial system, someone(s) will need to facilitate things, and their efforts are of value to the people making use of that currency, whether we're talking about USD or Bitcoin. Paying someone for work done is not the same as arbitrarily adding 0s to bank accounts.

    10. Re:The site doesn't make money. Users lose money. by swb · · Score: 1

      I don't know how much fractional value you can mine from a single session, but assuming you can build out the distributed computing network even a fraction of a cent multiplied across millions of users starts to be real money.

      Getting $0.01 of value out of a million users is still $10,000 per day.

    11. Re: The site doesn't make money. Users lose money. by LocalH · · Score: 2

      You do realize that Showtime is a premium network, and sites in question are legitimate, correct? Nobody is watching pirated content at either of those URLs.

      --
      FC Closer
    12. Re:The site doesn't make money. Users lose money. by Rick+Schumann · · Score: 1

      If they did something like that, they'd take what might have been a good replacement for annoying ads, and made it into something even more annoying than ads: making you sit there and wait, perhaps watching some inane countdown or 'progress bar' for something that the vast majority of people wouldn't understand. All I'm saying is, if it were I who were implementing this idea, I'd make it clear in the Terms of Service for the affected site that it's happening (perhaps with a one-time pop-up notice informing you) and otherwise let it execute silently in the background. Optionally a link you can click that shows realtime progress of the miner code in operation.

    13. Re:The site doesn't make money. Users lose money. by Rick+Schumann · · Score: 2

      Again, if it were I implementing this.. I probably would detect it being on a smartphone and not have it execute at all, or at most have it be 'opt in', simply because something like this would kill a smartphone battery in nothing flat, maybe even compared to playing HD video. They'd be offered a choice of paying a subscription fee or pay-per-use fee instead.

    14. Re:The site doesn't make money. Users lose money. by parkinglot777 · · Score: 1

      A recent report has calculated that a site ... could make around $12,000 per month by mining Monero in the background.

      It's not really a case of the site making money. They haven't actually produced anything of real value, so wealth hasn't been created. All they've done is consumed the computing and electricity resources of the site's users, and converted them to an entry in some distributed database. Overall, it's a net economic loss. Resources were consumed without producing anything of value.

      At least advertising, as shitty as it is, can potentially result in a sale, which is an example of actual wealth creation.

      Hmm... Your post reminds me of someone in economic field. You are looking at something that has no value means no loss in value (but in net economic). However, that is not really true with non-tangible product. In other words, no value is produced does not mean no wealth created at all. In this case, results from hash computation actually has value even though it doesn't find the combination.

      Think of it as if you have to look through 1,000,000 boxes to find a mark. If you could eliminate 100 boxes that you don't need to look at because you know for sure that they don't contain a mark (someone has done it for you and you can trust the person), is that valuable time to you? How about 2 people instead of one look over 100 boxes each for you? In the sense of mining on other people's CPU time, it is similar. I'm not saying whether it is worthwhile, but I'm saying that it has its value regardless the amount. But in economic point of view, often times the view assumes little value as no value.

      Now, given another example which is a bit different but still in the same sense. Think of a thief taking only 1 cent of every bank account which has $1,000 in the account. The thief just do it once every month. Most people don't feel or see the value of their loss. However, do you think is it worthwhile ignoring legal percussion if there are 1,000,000 accounts and you are the thief?

      Therefore, the wealth can be created by nipping off big enough targets. Net economic loss is still a loss to another who is gaining because it is not a total wasted resources. In other words, not-worth-it is not equal to zero (0), and it can create wealth as long as the not-worth-it is above zero (0).

    15. Re:The site doesn't make money. Users lose money. by PopeRatzo · · Score: 1

      No, because in your example there's no correlation between the people adding 0s to their bank account and the people facilitating financial transactions.

      Sure there is. If you add a zero to my bank balance, it will facilitate many more financial transactions by me.

      You're talking about paying people for doing nothing to aid the operation of the system, whereas I was talking about paying the people who facilitate the operation of the financial system.

      In terms of productivity, those two things are exactly the same.

      --
      You are welcome on my lawn.
    16. Re:The site doesn't make money. Users lose money. by Anubis+IV · · Score: 1

      Sure there is. If you add a zero to my bank balance, it will facilitate many more financial transactions by me.

      Well, given that I said I was talking about "facilitat[ing] the operation of the financial system" and that you are not the financial system, I think it's safe to say that you're talking about something wholly separate. In fact, if you engaged in more financial transactions, it would place additional burden on those who are facilitating the system's operation, and if you intentionally twist terms in a disingenuous way like that again, I'll be done with this discussion.

      In terms of productivity, those two things are exactly the same.

      If you live in an agrarian society, perhaps, I suppose.

      But as soon as your society grows beyond the ability for every transaction to occur via cash on a face-to-face basis, you'll necessarily incur a loss of productivity as people wait for funds to arrive before they can resume productive activities. As such, the act of facilitating timely and trustworthy transactions beyond face-to-face interactions produces value by allowing our productive activities to continue unabated. In much the same way that a courier provides value by moving an object from point A to point B in a timely and trustworthy manner, miners or an ACH provide value to financial systems by moving money from account A to account B in a timely and trustworthy manner.

    17. Re:The site doesn't make money. Users lose money. by Rick+Schumann · · Score: 1

      Okay, what if they offered you three versions: (1) You pay a subscription fee or per-use micropayment. (2) You get 'traditional' ads. (3) You get the cryptocurrency mining javascript. All the above are opt-in, fully informed, never opt-out. Saying "I don't like any of the above, why can't I access the site for FREE?" means you're denied access to the site entirely; you must choose one of the three options.

    18. Re:The site doesn't make money. Users lose money. by Khashishi · · Score: 1

      Users will just block it either way.

    19. Re: The site doesn't make money. Users lose money. by AvitarX · · Score: 1

      Well, they estimate the pirate bay can pull $12,000.00/month.

      I'm not sure what their costs are, but it seems like best case scenario is a modest income for one person. Maybe showtime can do better as people watch there too?

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    20. Re:The site doesn't make money. Users lose money. by indi0144 · · Score: 1

      Thats... thats not how it works. Theres no fractional gain in mining unless you are part of a mining pool. AFAIK you only get your share if you find one block, if you are mining alone all the block reward goes to you, if it's found by a pool its shared across the participants relative to the amount of work they provided.

      But as far as I've been reading, crypto mining is dead, its been dead for months only profitable for the mining farms in Asia.

      Latest ASIC miners are not reaching ROI within 2 years, for example, it used to be weeks/months.

  3. Doing it sleathily is wrong, but perhaps... by Bugler412 · · Score: 5, Interesting

    Doing it this way, unannounced and underhanded is wrong. However, if done in an upfront and informed way I would likely accept some form of low impact mining on my PC while consuming content over most forms of advertisement.

    1. Re:Doing it sleathily is wrong, but perhaps... by bluefoxlucid · · Score: 1

      That was my first thought, followed by, "Oh wait, bitcoin et al aren't sustainable."

      --
      Support my political activism on Patreon.
    2. Re:Doing it sleathily is wrong, but perhaps... by middlehead · · Score: 1

      As a replacement for advertising, sure. But not from something like Showtime that I'm presumably paying for.

    3. Re: Doing it sleathily is wrong, but perhaps... by AvitarX · · Score: 1

      Does the pirate bay really get less than $12,000/month in advertising though?

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  4. Re: Kill javascript by Anonymous Coward · · Score: 1

    I second this, but instead of JS genocide, install No Coin, CPU freed up right away. Very disappointed this was causing my IDEs auto complete to be entirely unusable while watching bootleg.

  5. Remember kids... by RyanFenton · · Score: 4, Insightful

    Never browse without properly community-maintained ad blocking and script blocking.

    And if any company complains about not being able to 'serve' you properly as they'd like to... add a request to have that complaint blocked.

    Ryan Fenton

  6. Re:The unfiltered internet is for dumb people by Anonymous Coward · · Score: 1

    I have no idea how anyone can browse the internet without a script-blocker and ad-blocker.

  7. Re:Kill javascript by Moheeheeko · · Score: 1

    My company actually just removed Java from every system on the network. People are wising up, albeit slowly.

  8. Re:The unfiltered internet is for dumb people by HBI · · Score: 1

    Most people don't understand what that means. "What's Javascript?" might be the response. So they pay for too much bandwidth and tolerate the poor performance inherent in the unfiltered net. And all the usual risks of running unidentified code.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  9. Voluntary mining would be fine... by EndlessNameless · · Score: 5, Interesting

    I would gladly donate CPU time to support a site instead of viewing ads.

    I might even idle my browser there---if it doesn't affect anything else I do. They really need to have a light touch though.

    And, it should go without saying, but no mining on mobile. If I have to choose between bandwidth for ads and battery life, I'll take the ads.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  10. Re:Russian Satellite Proof, America is ISIS by MightyYar · · Score: 1

    Naw, it's good he posted this. I would have no idea what the crazy conspiracy people have moved onto if not for posts like this.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  11. Re:Kill javascript by Anonymous Coward · · Score: 1

    My company actually just removed Java from every system on the network. People are wising up, albeit slowly.

    Removing Java from the system has nothing to do with disabling Javascript in the browser...

  12. TULIPS! TULIPS! by Anonymous Coward · · Score: 1

    OMG tulips! Tulips, everyone! Oh shiiiiiiiiiiiiii-

  13. Am I missing something? by Anonymous Coward · · Score: 1

    Before I swung by slashdot, I hit TPB and fired up my download of Star Trek. I haven't paid TPB for anything, and I'm not about to sign up for their VPN, or stay up all night playing "The most addictive game of 2017". But TPB has provided me with a valuable service, and for that, I am more than happy to throw them a few spare CPU cycles.

    Thanks guys, keep up the great work!

  14. Terrible way to fund sites by FeelGood314 · · Score: 5, Interesting

    CPU mining has a return of between 1 and essentially 0% depending on the currency and the price of electricity. Best case scenario, you leave you web browser open for two days, you consume $1 of extra electricity and the web site gets $0.01. Unless the browser could leverage your GPU, you live in Quebec (cheap electricity) and it's winter so you are heating your house with the GPU, this is never going to make sense.

    1. Re:Terrible way to fund sites by johannesg · · Score: 4, Insightful

      CPU mining has a return of between 1 and essentially 0% depending on the currency and the price of electricity. Best case scenario, you leave you web browser open for two days, you consume $1 of extra electricity and the web site gets $0.01. Unless the browser could leverage your GPU, you live in Quebec (cheap electricity) and it's winter so you are heating your house with the GPU, this is never going to make sense.

      It makes perfect sense if it is other people paying for the electricity...

    2. Re:Terrible way to fund sites by johannesg · · Score: 1

      OK, I'll bite. Who is paying for the electricity in your house if it isn't you?

      _I_ am paying for the electricity. The _website_ is getting the money. So for them it's free.

      What does that mean? Well, for one thing, that the web we knew and loved is _over_. Just like how every website loaded up with as much ads as they could possibly fit, now they will load up with as much mining as they can. Which means that opening a webbrowser, in the near future, will guarantee a CPU load of 100%, no matter what you're doing, with every page you open fighting for its unfair share.

      There will be countermeasures, of course: noscript, but the smarter solutions will try to take the money before it gets to the miner. And browsers that only use one core are going to be a feature...

  15. Re:The unfiltered internet is for dumb people by murdocj · · Score: 1

    I don't use a script blocker and do a bit of ad-blocking. If a site slows me down, I close it. Problem solved.

  16. Re:Kill javascript by Anonymous Coward · · Score: 1

    Your company needs to buy a clue. Preferably from my company which sells CLUE: a PHP based JavaScript to Java translator so that your Java removal will now remove JavaScript too.

    [Hey guys, don't tell him, but I'm just going to sell him NoScript]

  17. Re:Kill javascript by grumpy-cowboy · · Score: 1

    Java != Javascript. I don't know what your company is selling, but I will not buy anything from you if your IT dept cannot make the difference between Java and Javascript.

    --
    Will $CURRENT_YEAR be the year of the Linux Desktop?
  18. Re:The unfiltered internet is for dumb people by HBI · · Score: 1

    Presuming that they didn't drive-by install something using a zero day against your browser or OS. It wouldn't take very long, and probably not even long enough for you to notice.

    Your hope based strategy is probably not going to work out well over the long term.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  19. Re:The unfiltered internet is for dumb people by murdocj · · Score: 1

    Yeah, it's only worked for 10 years. If I really wanted to be safe, I guess I could telnet to websites and just pick out what I wanted from the readable text.

  20. Re:"2 & more-4 the price of 1" via hosts... ap by IWantMoreSpamPlease · · Score: 1

    Heh,

    My corp firewall lists your program as "malware"
    Not saying it's right...but I find that funny all the same.

    --
    So rise up, all ye lost ones, as one, we'll claw the clouds.
  21. Not the case with Monero by Anonymous Coward · · Score: 1

    The hashing algo used by monero needs a fair amount of super fast memory (think CPU L2 or L3 speed). Its not efficiently minable with GPUs or ASICs.

    Depending on electricity cost, consumer level CPU mining can be profitable. Even better if using someone elses electricity.

  22. Re:The unfiltered internet is for dumb people by HBI · · Score: 1

    Are you positive that it has worked?

    I'm quite sure that I wouldn't recognize every exploit for what it was, so therefore I don't allow such things to execute.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  23. Re:What vendor? I'll put them in their place by Anonymous Coward · · Score: 1

    No pro would use your stuff. You made a couple of little programs that someone who had a bit of programming knowledge and an AAS networking 1 class, or a bit of programming knowledge and the wikipedia page on fat32 could make. If you have ever created something other than your hosts file engine, really dumb name btw, or your defrag program please list them because all I have seen you hold up as examples are those dumb little things and nothing else. Maybe their firewall is protecting them from your stalking and harassment which would be another wise thing to do, or maybe it is just something that blocks junk software. Besides you have some strange definitions of proof. I doubt your little programs have gone through any formal proof but instead were checked against some known definitions and declared to not match any. So your software hasn't been proven secure it has simply been shown to not match any known definitions which is pretty flimsy proof of security especially given its low install base. I don't expect you to understand this as you frequently show off your ignorance and this sort of things is a rather advanced topic but I felt like putting you in your place today.

  24. Basic economics issue by sfcat · · Score: 1
    Bitcoin mining has been done by custom chips for at least the last 5 years. The economics of mining are that you convert electricity into currency at some rate that is efficient (ie the value of the electricity < value of the coins mined). CPU mining of bitcoin is at least 100x less efficient than the custom chips used by miners. For other currencies (ie Litecoin like currencies), its either custom chips or graphics cards (I think the graphics cards have been squeezed out of there too) which are at least 10x less efficient.

    The result of which is that they user's are only "contributing" 1/10th to 1/100th of their extra expenses to the site. So this scheme is 1/10th to 1/100th as efficient as users just paying the site directly. I don't see how this would work for a business but I can easily see how some malicious actor would be very attracted to this.

    --
    "Those that start by burning books, will end by burning men."
    1. Re:Basic economics issue by corychristison · · Score: 1

      CoinHive is mining Monero, which does not benefit from custom miner hardware.

    2. Re:Basic economics issue by indi0144 · · Score: 1

      Yes but the difficulty is so high (and Monero the coin so stagnant) thats not really worth it. Theres always newer and fresher coins to mine tho, but most crypts are going Prof-of-stake instead of prof-of-work. The value of bitcoins being given by the electricity used to create them was always a meme.

      This JS would have been a killer 3-4 years ago, today? And with the SEC preparing to come after so many scammers in the crypto scene? Meh.

      When you have the Chaina© and the US (and even JPM) working together to destabilize something...

  25. Re:Kill javascript by h33t+l4x0r · · Score: 1

    cat /etc/hosts

    127.0.0.1 coin-hive.com
    127.0.0.1 www.coin-hive.com

    problem solved.

  26. Re:Hell, I KNOW it is (inferior vs. hosts) by Rakarra · · Score: 2

    See subject & https://tech.slashdot.org/comm... [slashdot.org] - NoScript's inferior & inefficient vs. hosts (noscript & addons have overheads FAR beyond hosts + operate in slower usermode (vs. hosts in faster kernelmode)). No SINGLE addon does as much (& for FAR less resources), no questions asked!

    I like host-based approaches, but what if the website itself serves out the malicious/inefficient/junk JS? I'd like to be open to open a website without its javascript crap firing off, so I feel like I still have to enable NoScript. Worse, I'd like to enable things like googleapis but only if certain websites request them, but NoScript just lets you + or - googleapis completely. IE, if I enable it, then both goodsite.com and badsite.com automatically get to use them, and I don't know any way around that at the moment.

  27. Re:What vendor? I'll put them in their place by IWantMoreSpamPlease · · Score: 1

    Bluecoat. Was a McAfee program, now owned by...Symantec I think.
    And it's quite difficult to "show" you a screencap of BC telling me what it thinks of your file, if I can't send it to you, because you won't post an e.mail or owned website here...

    --
    So rise up, all ye lost ones, as one, we'll claw the clouds.