Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Surge of Sites and Apps Are Exhausting Your CPU To Mine Cryptocurrency (arstechnica.com)

Posted by msmash on from the things-to-watch-out dept.

Dan Goodin, writing for ArsTechnica: The Internet is awash with covert crypto currency miners that bog down computers and even smartphones with computationally intensive math problems called by hacked or ethically questionable sites. The latest examples came on Monday with the revelation from antivirus provider Trend Micro that at least two Android apps with as many as 50,000 downloads from Google Play were recently caught putting crypto miners inside a hidden browser window. The miners caused phones running the apps to run JavaScript hosted on Coinhive.com, a site that harnesses the CPUs of millions of PCs to mine the Monero crypto currency. In turn, Coinhive gives participating sites a tiny cut of the relatively small proceeds. Google has since removed the apps, which were known as Recitiamo Santo Rosario Free and SafetyNet Wireless App. Last week, researchers from security firm Sucuri warned that at least 500 websites running the WordPress content management system alone had been hacked to run the Coinhive mining scripts. Sucuri said other Web platforms -- including Magento, Joomla, and Drupal -- are also being hacked in large numbers to run the Coinhive programming interface.

10 of 128 comments (clear)

  1. Again? by 110010001000 · · Score: 4, Insightful

    Slashdot keeps mentioning this. Are you considering adding this to the website? That would be cool!

  2. There is some good in this. by ffkom · · Score: 4, Informative

    This might remind people how weird it is that they run software automatically downloaded from arbitrary foreign sources all the time on their personal computer.

    If people still knew how to write HTML, almost no web site would need to use any "JavaScript" or other "active content", with all the security issues this implies.

  3. Re:my Crypto Purloined Unit by Dutch+Gun · · Score: 4, Informative

    This is just indicative of the much larger issue of how incredibly dangerous it is to allow servers to inject and run arbitrary code from third parties on your client machines. Third party ad-networks already do this, and if they're benign, they'll only TRACK you. If they're not, they'll do this, or try to hack your machine, or just about anything else they want to with all the power Javascript gives them - crypto-currency mining included.

    --
    Irony: Agile development has too much intertia to be abandoned now.
  4. Not all web apps work with just HTML and CSS by tepples · · Score: 4, Insightful

    If people still knew how to write HTML, almost no web site would need to use any "JavaScript" or other "active content"

    How would, say, a web-based front-end to an IRC server work without script? It needs to know when messages have arrived in order to display them. The same is true of a multi-user whiteboard, which needs to know when another user has drawn a stroke. In addition, server-side image map doesn't support drag input, only click input.

    Or should those instead be native executables that a user can download, install, and use? If so, then because native executables are generally specific to one operating system, Murphy's law holds that such an application will inevitably be designed for an operating system other than the one your device regularly runs. And it's still "software [manually] downloaded from arbitrary foreign sources".

    Or should real-time interactive applications instead be written for the Java Virtual Machine or the .NET Common Language Runtime? Even though one such executable can run on multiple desktop operating systems, it still generally excludes iOS and Android, and it's stlil "software [manually] downloaded from arbitrary foreign sources".

  5. cpu-profiling of browser tabs by mugurel · · Score: 5, Interesting

    Whether crypto-mining or not, some pages seem to use a disproportionate share of cpu time for the content they're delivering. Some form of cpu usage indicator per tab would be helpful, similar in vein to the speaker icon on tabs that produce sound.

    1. Re:cpu-profiling of browser tabs by swb · · Score: 3, Interesting

      Even better would be adjustable settings for maximum individual CPU by a tab and maximum CPU allowable to all background tabs total, and some way to whitelist tabs so that sites I want to run full tilt in the background can. Somebody can write a plug in for more granular control if you want to go full Asperger's on the settings.

      I hate to say it, but it really is going to take Google just deciding to ration background tab CPU. Once they do that it will force web sites to either suck it up and not get real-time updates about the web page I'm not looking at or un-bloat their code.

    2. Re:cpu-profiling of browser tabs by Trax3001BBS · · Score: 4, Interesting

      Even better would be adjustable settings for maximum individual CPU by a tab and maximum CPU allowable to all background tabs total, and some way to whitelist tabs so that sites I want to run full tilt in the background can. Somebody can write a plug in for more granular control if you want to go full Asperger's on the settings.

      My fans do this for me and I've notice a few websites that the fans start ramping up when visited. I then monitor the temps.

  6. Air conditioning by tepples · · Score: 3, Interesting

    The electricity cost is negligible too.

    The price of electric power depends on where you live. And in a lot of places, people have to pay twice for electric power: once to run the computer and once to run the air conditioner that moves the heat generated by the computer to the outside.

    nevermind that [viewers] got their cut when they consumed the content on the site

    Why do people keep referring to viewing works created by others as "consuming" them? A work isn't "consumed", or used up, in the act of viewing it.

  7. Gecko engine web browsers' top... by antdude · · Score: 4, Informative

    Type "about:performance" in any recent Gecko web browsers (e.g., SeaMonkey and Firefox)'s URL form to show for a top type view. I would also like to see a tab version like its audio.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  8. Re:What you really need to do by Anonymous Coward · · Score: 4, Informative

    > Does anyone remember the person that deleted the small JavaScript file and brought down so many big sites because they were loading it from his site instead of having a copy on their own site? I think it was to justify text. It was only a couple of lines.

    You're recalling the npm package called left-pad (alternate write-up here). The author was Azer Koçulu (Slashdot might botch his Turkish surname, apologies for that).