As online ads fail, sites mine cryptocurrency
Between the incessant headlines and chatter on social media, it feels like everywhere we go some libertarian evangelist appears asking us if we have a second to talk about the blockchain — like a religious wingnut lurking outside the grocery store.
The fever for a magic internet money no one actually understands is definitely something akin to religious fervor right now.
In the biggest example of blind faith yet, people are apparently mortgaging their homes to buy Bitcoin as it soars to previously unimagined value. At the time of publishing, one Bitcoin is worth over $16,000 — far above its worth this time last year when it was $807. But good luck finding places to spend it: Bitcoin is getting mainstream adoption, but you still can’t pay your credit card bill with it. The whole thing has a vibe that portends disaster, or at the very least, the beginning of a lot of stories about scammers making bank while normal people get hoodwinked.
So it’s no wonder that the always-sketchy, ever-scammy, and terminally exploitative online ad industry is starting to get replaced in favor of cryptocurrency mining — the nonconsensual use of a website visitor’s computer to make more imaginary coins.
The trend emerged in September, yet it’s making news this week thanks to Twitter user Noah Dinkin spotting a Starbucks location overtaxing its customers’ machines to mine for the cryptocurrency Monero (without their knowledge). The Starbucks reward site for Argentina was using its portal to run Coinhive’s code (by way of injecting scripts, like a malware attack) to farm Monero coins on Starbucks customers who were using the coffee giant’s wifi. Starbucks still hasn’t responded to public inquiries about the cryptocurrency miner, causing speculation that the company may be purposely doing the illicit mining.
The wider public started to really hear about Coinhive in early September, with the Pirate Bay’s attempt to run a cryptocurrency miner off its website. Pirate Bay angered its visitors with the experiment, who at first suspected foul play, with Coinhive’s non-consensual use of computer resources to farm magic internet money. There was a backlash, and Pirate Bay abandoned its Coinhive experiment.
Coinhive and Monero popped up in headlines again just a few weeks after that, at the end of September, when it was found in TV channel Showtime’s websites. The company never commented on the Coinhive issue, but speculation was that it was testing the new trend of supplementing advertising with cryptocurrency mining.
Soon after that, a new problem emerged with the rush to cash in on crypto coins: vulnerable IoT devices. Because of course if there’s anything else that can go wrong with your connected toaster and security-challenged baby monitor, it will. Now, these dumb devices are letting jerks creep into our homes to drain electricity and device resources to mine Monero. (And it takes a lot of electricity to mine these bubblelicious tokens of maybe-money.)
In October TrendMicro started documenting the rising trend of cryptocurrency mining malware and its use of smart home devices like “home routers, IP cameras, and even smartphones.” The company warned that “it takes a huge amount of power and resources to mine cryptocurrency, and the rising value will only motivate attackers to pursue it directly using more aggressive means.”
Monero is one of an infinite number of ridiculously named cryptocurrencies in circulation right now. Are they worth anything? Maybe! Let me consult some runes and get back to you.
Everyone knows Bitcoin, and other coins of similarly volatile, fluctuating value go by names such as Etherium, Litecoin, Ripple, Monero, Zcash, Populous, TRON, Einsteinium … and so on. Monero bills itself as “a secure, private, untraceable cryptocurrency based on the CryptoNote protocol.” As of this writing, one Monero is worth $327.82. But good luck finding places to spend it.
Come back pop-up ads, all is forgiven
Coinhive and its method of farming is much more ubiquitous. Coinhive is a JavaScript library that mines Monero by using the CPU resources of users visiting websites. Coinhive’s shady website, which is blocked by most ad blockers, entices users to “Monetize Your Business With Your Users’ CPU Power” and “Run your site without ads.”
Which is exactly what some businesses have started doing. So have malicious hackers who are popping open websites and inserting the Coinhive code to run it without anyone knowing. Security blog BleepingComputer noted that “Coinhive has been recently adopted by a large number of malware operations, such as malvertisers, adware developers, rogue Chrome extensions, and website hackers, who secretly load the code in a page’s background and make money off unsuspecting users.”
Like with online advertising, which is generally considered unwanted, unsafe and prone to infectious malvertising, security-minded companies and ad blockers are lining up against the use of things like Coinhive. Ad blocker AdGuard calls it “crypto-jacking” and this week posted that the practice “has soared to even greater heights,” calling out four popular streaming sites for using it. Those sites are Openload, Streamango, Rapid Video, and OnlineVideoConverter.
In October Malwarebytes joined ad-block plugins in preventing Coinhive’s JavaScript from running in web pages, because “there are site owners who do not ask for their users’ permission to start running CPU-gorging applications on their systems” and saying Coinhive was the second most-frequently blocked website for its customers. More ad blockers are taking up the charge by protecting unsuspecting users from Coinhive, such as uBlock Origin.
The miners are now considered malware. Popular anti-DDoS service Cloudflare, which is busy trying to figure out how to let neo-Nazi sites back on their platform, took a more drastic step to block Coinhive scripts and sites that use them.
These security companies aren’t psychic: It’s crystal-clear that this kind of exploitation isn’t going away. It’s only going to get worse as blockchain’s fervor continues to mystify the wider public and consume the greedy and desperate with its lure of a quick buck. Which is pretty much the story of how everything on the internet sucks right now. I mean, it’s really neat to be subjected to the exploitation of another Libertarian fantasy wealth experiment gone wrong.
In other words, it’s time for less trust and more self-defense. Avoiding cryptocurrency miners isn’t going to be easy, but using products like uBlock Origin who are taking an early stand is a good place to start. So is blocking Javascript (in browser settings).
Avoiding the blockchain version of Hare Krishnas, on the other hand, is going to be trickier. But totally worth it.
(64)