Java Script code hidden in adverts served up by ad-networks covertly mines various crypto-currencies directly inside your web browser new research by a team of security experts reveal. The security researchers at We Live Security discovered the custom Java Script code being executed in adverts that appear on a number of Russian and the Ukrainian websites.
Cryptocurrency web mining: In union there is profit | We Live Security - 09/14/2017
The code used in this new malvertising campaign is an updated version of MineCrunch which was a script originally developed and released back in 2014.
Different from traditional GPU crypto mining setups this technique uses the CPU to mine a choice of either Monero, Litecoin or Feathercoin. To obfuscate processor use and to maximize mining time this modified code has mainly been executed on movie streaming and in-browser gaming websites due to the length of time people spend on these type of sites, and their already high CPU usage.
Whilst looking into this I found a new cryptocurrency called JSE Coin which seems to do pretty much the same thing albeit a little more legally. Rather than injecting the mining code into your browser using adverts the code is offered to website owners and webmasters which they can add to their own websites to mine the JSE Coin for themselves via visitors browsers.
Website visitors carry out the mathematical hashing process in the background while browsing a website using excess CPU power which would be otherwise wasted. An unobtrusive code snippet placed on the website runs in the browser while a visitor is on the page. This provides the hashing functionality required to secure the blockchain.
Website visitors are made aware of the mining with a privacy notification and given a chance to opt-out.
I did a bit of analysis on the jesecoin website (archived version for anyone not wanting to mine). I used the tor browser which has Java Script disabled by default and I found the overall processing power used on this site to be on average about 20-25%.
When you first visit a website that has this script embedded a small disclaimer banner appears for about 5 seconds at the bottom of your browser window and then disappears even if you hover your mouse pointer over it. I have tried the JSE Coin website and a few others that also have the code enabled and it seems that this banner only appears once when you first visit. Repeat visits did not make the banner show up again.
Although this is a pretty unique idea and one that could be used instead of adverts to help monetize websites I feel they are going about it in the wrong way. They seem to be only doing the minimum possible to inform people of exactly what is happening. This to me feels like they are trying to hide something from a website visitor instead of being up front from the beginning.
It isn't the first time this has been tried. In 2011 a group called Bitpit tried the same thing with BitCoin mining but were unsuccessful and shut down 2 months later due to the increased difficulty of the hashes.
Then in 2013 a group of MIT students received a subpoena by the New Jersey Attorney Generals Division of Consumer Affairs office after forming a company called Tidbit which did basically the same thing but without providing a disclaimer or an option to opt-out on the websites that used their code.
Press Release | NJ consumer Affairs - 05/26/2015
A New Jersey Division of Consumer Affairs investigation has found that, despite initial assertions by Tidbit's developer, the software was used to gain access to computers owned by persons in New Jersey, without the computer owners' knowledge or consent.
The Division further found that the developer of Tidbit offered and provided the software to web developers without reviewing their privacy policies, and without having any control, compliance, or review mechanism in place. The Division alleges that these actions constituted violations of New Jersey's Computer Related Offenses Act and Consumer Fraud Act.
For a long time people have been wanting a different model other than adverts to monetize their websites. The advertisement model is outdated, intrusive and ugly. This Java Script browser mining model on the whole does seem like a good idea as long as visitors to websites using it fully understand what is going on and have a clear and simple way of opting out if they wish to. Maybe an opt-in option should be available instead of being opt-in by default. At the moment it doesn't seem like it's an alternative to advertising but an addition to monetizing websites as most of the websites I went to that are employing this code are also still running adverts.
Please leave your thoughts below as It'd be great to hear any of your comments and concerns regarding this new way of making money from websites.