JAVA SCRIPT CRYPTO BROWSER MINING | Illegal Or Revolutionary?
Java Script code hidden in adverts served up by ad-networks covertly mines various crypto-currencies directly inside your web browser new research by a team of security experts reveal. The security researchers at We Live Security discovered the custom Java Script code being executed in adverts that appear on a number of Russian and the Ukrainian websites.
Cryptocurrency web mining: In union there is profit | We Live Security - 09/14/2017
In the last months, we stumbled upon some JavaScript files apparently used to mine cryptocurrencies directly within the browser. For a long time now, cybercriminals have taken advantage of cryptocurrency mining in order to make a profit. However, they generally use malware or potentially unwanted applications they install on the victim’s machine in order to turn a dishonest penny.
In this particular case, the mining is performed directly within the browser when the user browses to certain websites. Thus, there is no need to infect the victim’s machine or to exploit vulnerabilities. All that is needed is a browser with JavaScript activated, which is the default state of most browsers.
The code used in this new malvertising campaign is an updated version of MineCrunch which was a script originally developed and released back in 2014.
Different from traditional GPU crypto mining setups this technique uses the CPU to mine a choice of either Monero, Litecoin or Feathercoin. To obfuscate processor use and to maximize mining time this modified code has mainly been executed on movie streaming and in-browser gaming websites due to the length of time people spend on these type of sites, and their already high CPU usage.
Whilst looking into this I found a new cryptocurrency called JSE Coin which seems to do pretty much the same thing albeit a little more legally. Rather than injecting the mining code into your browser using adverts the code is offered to website owners and webmasters which they can add to their own websites to mine the JSE Coin for themselves via visitors browsers.
Website visitors carry out the mathematical hashing process in the background while browsing a website using excess CPU power which would be otherwise wasted. An unobtrusive code snippet placed on the website runs in the browser while a visitor is on the page. This provides the hashing functionality required to secure the blockchain.
Website visitors are made aware of the mining with a privacy notification and given a chance to opt-out.
I did a bit of analysis on the jesecoin website (archived version for anyone not wanting to mine). I used the tor browser which has Java Script disabled by default and I found the overall processing power used on this site to be on average about 20-25%.
When you first visit a website that has this script embedded a small disclaimer banner appears for about 5 seconds at the bottom of your browser window and then disappears even if you hover your mouse pointer over it. I have tried the JSE Coin website and a few others that also have the code enabled and it seems that this banner only appears once when you first visit. Repeat visits did not make the banner show up again.
Although this is a pretty unique idea and one that could be used instead of adverts to help monetize websites I feel they are going about it in the wrong way. They seem to be only doing the minimum possible to inform people of exactly what is happening. This to me feels like they are trying to hide something from a website visitor instead of being up front from the beginning.
It isn't the first time this has been tried. In 2011 a group called Bitpit tried the same thing with BitCoin mining but were unsuccessful and shut down 2 months later due to the increased difficulty of the hashes.
Then in 2013 a group of MIT students received a subpoena by the New Jersey Attorney Generals Division of Consumer Affairs office after forming a company called Tidbit which did basically the same thing but without providing a disclaimer or an option to opt-out on the websites that used their code.
Press Release | NJ consumer Affairs - 05/26/2015
A New Jersey Division of Consumer Affairs investigation has found that, despite initial assertions by Tidbit's developer, the software was used to gain access to computers owned by persons in New Jersey, without the computer owners' knowledge or consent.
The Division further found that the developer of Tidbit offered and provided the software to web developers without reviewing their privacy policies, and without having any control, compliance, or review mechanism in place. The Division alleges that these actions constituted violations of New Jersey's Computer Related Offenses Act and Consumer Fraud Act.
For a long time people have been wanting a different model other than adverts to monetize their websites. The advertisement model is outdated, intrusive and ugly. This Java Script browser mining model on the whole does seem like a good idea as long as visitors to websites using it fully understand what is going on and have a clear and simple way of opting out if they wish to. Maybe an opt-in option should be available instead of being opt-in by default. At the moment it doesn't seem like it's an alternative to advertising but an addition to monetizing websites as most of the websites I went to that are employing this code are also still running adverts.
Please leave your thoughts below as It'd be great to hear any of your comments and concerns regarding this new way of making money from websites.
Very interesting, could this be a new way to legalize monetize websites in the future? Together with micropayments this could fuel the next wave of internet innovation and provide content creators with much needed revenue
Sure thing. Hopefully it would help content creators to not be tied into adverts. There's certainly a long way to go before it becomes the norm.
I only became aware of this sort of thing within the last few days, but an acquaintance of mine said that this sort of thing has been going on since circa 2014, which kinda shocked me.
In my humble opinion, if you don't know about it (know being the key definition, here), it's invasive, underhanded, 'black hat' and thus on the same level as malware/spyware, and it should be treated as such.
I agree. It's been going on since 2011 as far as I can tell.
Knowing about it is definitely the key.
2011? That's fairly disturbing.
I wonder how many times I've unknowingly helped someone mine bitcoin or another altcoin?
Hi, thanks for your review of JSEcoin. We appreciate all feedback on the site/platform as it lets us know what people like and don't like and what we can do better, although we feel that “only doing the minimum possible “ is a little harsh.
The banner is programmed to reappear once every hour per site. We felt this would minimise the impact on the users experience of the site, especially if they were navigating through numerous different pages. We are keen to hear some other views on this and actually have a thread open in our forum specifically for any feedback relating to the privacy notice so any input into this is appreciated.
https://jsecoin.com/forums/topic/privacy-notification/#post-656.
We are keen to maintain transparency about the mining taking place and agree that this is key to large scale adoption of the concept.
More reasons why I love NoScript for my browsers.
Same here. I much prefer to be able to choose what I run and don't run.
From a legal standpoint, running arbitrary javascript code is not breaking the law. Mining crypto with a website isn't a problem at all.
My own site does this. (Micro earnings crypto site).
The issue is when they hide it.
The earnings are abysmal. There is a reason it hasn't been more widely used. But as an accomplishment, it is pretty darn cool. And hopefully can find a niche to be worthwhile in.
Basically, I think it's all in how you use it. If I add tons of hidden ads to my site, I'm a thief stealing from advertising companies. But if I use them in their proper place, as they are meant to be used, I'm just a smart businessman.
My 2 cents, anyhow.
jsecoin.com mining is down from 2 days, on browser.
?
It was working about and hour ago.
This may be less visually invasive than using advertising for generating website revenue, but as we all know (or should) many online advertising now uses invasive and invisible methods without consent, such as tracking, monitoring, system fingerprinting, etc.
Transparency and consent are just as necessary for this to be a legitimate rather than insidious practice.
Thanks for sharing, resteemed.
Maybe that's why my battery lasts less and less each day ;P
Interesting alternative to the current advertisement model.
I think the Brave Browser + BAT crypto is better though.
Yes there is certainly a power and hardware payoff when this type of stuff is implemented into your browser.
I shall have a look inott Brave Browser and BAT.
Thanks.
fascinating... trying to now figure out how the market will self-regulate in response to this...
Yes it could be a game changer if its open and transparent enough.
next evolution in digital space
Could quite possibly be.