The trend of generating cryptocurrency is increasing, thanks to the growing popularity and rise in the value of the Bitcoin. Some use cryptocurrency mining software while some embed mining codes on their website and take advantage of visitors’ CPU time whenever they visit the site.

The Pirate Bay and CBS’s ShowTimes websites were some of the famous ones who were caught secretly generating Monero coin using JavaScript code provided by Coinhive. The general conception about website mining cryptocurrency is that once the user closes the site or browser tabs, the site stops using their CPU power. But according to the IT security researchers at Malwarebytes things are far from the truth.

Researchers have discovered “Persistent drive-by cryptomining” technique using which hackers and website owners can use visitors’ CPU power to generate Monero coins even after the browser window is closed.

To prove their findings, researchers conducted a test on Google Chrome browser and visited several websites that silently loaded cryptomining code. They’ve noted that the once on the site, the CPU activity increases but when the Chrome window is closed, the activity remains higher rather than going down, which means the visited site continued cryptomining.

According to the blog post by Malwarebytes’ Jérôme Segura, “The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a pop-under which is sized to fit right under the taskbar and hides behind the clock. The hidden window’s coordinates will vary based on each user’s screen resolution, but follow this rule: Horizontal position = ( current screen x resolution ) – 100 Vertical position = ( current screen y resolution ) – 40.”

“This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running,” added Segura.

Below is a GIF image that shows a Windows taskbar and user visiting websites that use cryptocurrency miner. It can be seen that once the user closes the browser tab, the CPU usage remains higher:

Websites use your CPU to mine cryptocurrency even if you close them
GIF credit: Malwarebytes

The new technique can be termed as a massive threat to users since hundreds of popular websites are secretly using CPU power of their visitors to mine Monero coin. At the same time, hackers and cybercriminals are taking advantage of the situation by compromising websites to mine cryptocoins.

CloudFlare, on the other hand, states that mining cryptocurrency without informing users is considered as malware, as users have no option to opt out of it or disable the code. The company even went on to boot off torrent proxy site “ProxyBunker.online” for secretly using Coinhive miner.

Leave a Reply