Browser-Based Mining Malware Found on Pirate Bay, Other Sites - ExtremeTech

This site may earn affiliate commissions from the links on this page. Terms of use.

Who needs cryptocurrency-mining Trojans or worms, when you can infect someone via their web browser? That seems to be the thinking behind a new wave of cryptocurrency malware that’s loaded via websites and runs while you have a page open. In some cases, this may be the result of malware infecting a system, but in others, it’s a deliberate decision that’s being used to juice profits.

First, The Pirate Bay — a website for torrenting software, video, music, and other content that no ET reader has, or would ever consider visiting — has been caught running a cryptocurrency miner on some pages. Right now, the site is running a miner that mines Monero coins using CPU horsepower. The miner isn’t on every page, but it’s on some of them, likely causing CPUs to consume significantly more power than they would otherwise. You can block the miner using NoScript or a JavaScript blocker, but users are generally peeved that TPB didn’t make any kind of announcement or discuss that it would begin interleaving these ads on some search pages (individual torrent pages, according to Techdirt, are unaffected).

Meanwhile, in other news, new browser-based malware has been popping up that also leverages JavaScript and also mines coins on hardware. In this case, we’re classifying the behavior as malware because it results in activity that the end-user hasn’t authorized or approved. Unlike other efforts, these JavaScript miners don’t load utilities on to a system or download a utility.

ESET is classifying this as “malvertising” since it appears in ads, despite the fact that such CPU-intensive advertising is typically banned by ad networks. Then again, securing ad networks against malicious advertising has proven quite difficult, since ads these days are typically bid on in automated processes, and malvertising developers have created ways to spoof their own products as legitimate and evade the bad actor detection software deployed by most ad networks.

The diagram above shows the injection process. To date, Eastern European countries and Russia have been the primary targets, though malware attacks of this sort rarely stay neatly confined to just one site. Video and gaming websites have apparently been preferentially targeted, since end-users tend to spend more time on these sites and may be less likely to note any increased noise of power consumption (due to fans spinning up), or will assume it’s caused by the game or video itself as opposed to cryptocurrency mining algorithms.

The companies implementing these solutions aren’t exactly being shy; pegging CPU usage at 100 percent, at least on a dual-core machine. Like the Pirate Bay implementation, these scripts can be configured to mine Feathercoin, Litecoin, or Monero. That implies that these two events are potentially related, though it could also simply mean that both operations use cryptocurrencies with higher monetary value or more user interest. It could also reflect the ease of moving funds out of these cryptocurrencies and converting them into cash at various online exchanges.

Either way, keep an eye out for sites that peg your CPU usage or seem to intermittently load pages that do, without any clear indication as to why. If this attack method works in Eastern Europe, we could easily see it make its way to the United States as well. And while The Pirate Bay may be using this kind of miner on purpose, sites with automated advertising probably aren’t. Either way, the situation is worth watching.

Now read: 20 Best Privacy Tips