Websites use your CPU to mine cryptocurrency even when you close your browser

[captain_to_fire]

Source: Ars Technica

 

Quote

 

Researchers have discovered a new technique that lets hackers and unscrupulous websites perform in-browser, drive-by cryptomining even after a user has closed the window for the offending site.

 

Over the past month or two, drive-by cryptomining has emerged as a way to generate the cryptocurrency known as Monero. Hackers harness the electricity and CPU resources of millions of unsuspecting people as they visit hacked or deceitful websites. One researcher recently documented 2,500 sites actively running cryptomining code in visitors’ browsers, a figure that, over time, could generate significant revenue. Until now, however, the covert mining has come with a major disadvantage for the attacker or website operator: the mining stops as soon as the visitor leaves the page or closes the page window.

 

Now, researchers from anti-malware provider Malwarebytes have identified a technique that allows the leaching to continue even after a user has closed the browser window. It works by opening a pop-under window that fits behind the Microsoft Windows taskbar and hides behind the clock. The window remains open indefinitely until a user takes special actions to close it. During that time, it continues to run code that generates Monero on behalf of the person controlling the Website. The animated GIF image at the top of this post shows the Windows task bar on the left. On the right is the offending browser window as the user removes it from its hiding place, resizes it, and finally closes it. In a blog post published Wednesday morning, Malwarebytes Lead Malware Intelligence Analyst Jérôme Segura wrote:

 

This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running.

So ransomware is old, cryptocurrency malware is the new kid. I don't think ransomware is going away anytime soon but given that many anti-virus programs have some sort of behavior blocking capabilities that can recognize known behavior of zero-day ransomware like accessing disk sectors or tampering the master boot record, block it's execution and even roll back malicious actions like unwanted encryption and with that, malware authors probably saw a decrease in people paying for ransom. Malware authors probably think why not just use their victim's PC to mine cryptocurrency without their permission.

 

What's worrisome to these new cryptocurrency malware is that it can evade ad-blockers. There are even Chrome extensions that are being used to mine cryptocurrency and even pirated content website Pirate Bay is using stealthy miners to monetize traffic. AV vendor Bitdefender commented that these coin miners aren't full pledged malware but most anti-virus programs including detect and block cryptocurrency miners if they are being executed without user permission and users are given the chance to whitelist them. Since an ad blocker is not going to prevent stealthy miners, the best way to prevent them is to stay away from piracy websites and to use an up to date security solution. 

 

I once considered mining Ethereum after reading @Ryan_Vickers's post but I don't think what I'll earn from Ethereum is worth it since I don't have free electricity and I need an AMD graphics card.

[2FA]

Nothing makes me want to revisit a site like having a hidden pop up mining in the background.

[captain_to_fire]

Just now, DeadEyePsycho said:

Nothing makes me want to revisit a site like having a hidden pop up mining in the background.

Not only will it crank up CPU usage without user consent and make money from it, it can even evade ad blockers. 

[Vandorlot]

Just now, hey_yo_ said:

Not only will it crank up CPU usage without user consent and make money from it, it can even evade ad blockers. 

How do you look behind the clock?

[vanished]

2 minutes ago, hey_yo_ said:

Not only will it crank up CPU usage without user consent and make money from it, it can even evade ad blockers. 

for now

[Jasun]

2 minutes ago, Vandorlot said:

How do you look behind the clock?

Magic

[Misanthrope]

I guess I'll be the heartless one: Better dumb users on shit AIOs and office PCs than gamers going without gpus.

 

Yeah I said it.

[2FA]

3 minutes ago, Vandorlot said:

How do you look behind the clock?

Unlock your taskbar and drag it to one of the other sides.

[mr moose]

I have a transparent task bar, Will I still not see it?  Also I have block pop ups selected in FF, does that not work?

[WereCatf]

If you can't see an open window on your taskbar, you're not very good with computers.

[2FA]

1 minute ago, mr moose said:

I have a transparent task bar, Will I still not see it?  Also I have block pop ups selected in FF, does that not work?

You can sort of see it.

 

Not all pop ups get blocked, can confirm from less than reputable sites I've visited (not really they just had bad ads).

[potoooooooo]

This is a bit awkward, but i actually use the website they showed off as an example and this has never happened to me. Literally just closed that tab before coming here. Wonder how common it actually is.

[captain_to_fire]

Just now, Name Taken said:

Use extensions to block other extensions.

Again, ad blockers like uBlock Origin don’t prevent miners from running without consent 

[BachChain]

so does it not show up as a window on the task bar?

[captain_to_fire]

13 minutes ago, Vandorlot said:

How do you look behind the clock?

Wut? What do you mean clock? 

[MoonSpot]

9 minutes ago, DeadEyePsycho said:

can confirm from less than reputable sites I've visited (not really they just had bad ads).

*Points accusing finger at @DeadEyePsycho*

 

Sure, we understand "Not really bad"

Spoiler

 

The second Monero was conceived this was always going to happen.  Hard to not see it as having been the intention from the start tbh.  Hopefully Google/chrome/FireFox start black listing them, its completely unacceptable.

[Drak3]

9 minutes ago, mr moose said:

Also I have block pop ups selected in FF, does that not work?

FF, much like every browser I've used outside of Safari, is very hit or miss on blocking pop ups. Safari is the only exception because I only go to LTT, YouTube, and Bing with it.

[captain_to_fire]

Just now, Name Taken said:

There are dedicated miner block extensions.

I didn’t know that miner blockers exist. As of now, most AV programs like Bitdefender which is the one I’m currently using will block miners that attempt to execute without my consent. 

[WereCatf]

2 minutes ago, hey_yo_ said:

Again, ad blockers like uBlock Origin don’t prevent miners from running without consent 

It actually does. Just try it, the bitcoin miner - list is enabled by default and it's set to block e.g. Monero. The list is actually quite large already.

[2FA]

4 minutes ago, MoonSpot said:

*Points accusing finger at @DeadEyePsycho*

 

Sure, we understand "Not really bad"

  Reveal hidden contents

 

The second Monero was conceived this was always going to happen.  Hard to not see it as having been the intention from the start tbh.

Nah, just frowned upon by the government.

[captain_to_fire]

2 minutes ago, LeapFrogMasterRace said:

This is why we need to end net neutrality 

What does ending net neutrality have anything to do with cryptocurrency malware? 

[WereCatf]

1 minute ago, hey_yo_ said:

What does ending net neutrality have anything to do with cryptocurrency malware? 

Pretty sure he was just being facetious.

[Vandorlot]

14 minutes ago, hey_yo_ said:

Wut? What do you mean clock? 

"Now, researchers from anti-malware provider Malwarebytes have identified a technique that allows the leaching to continue even after a user has closed the browser window. It works by opening a pop-under window that fits behind the Microsoft Windows taskbar and hides behind the clock."
 

[ItsMitch]

Fairly sure UBlock Origins blocks all this cryptobullshit from happening. 

[Guest]

4 minutes ago, SC2Mitch said:

Fairly sure UBlock Origins blocks all this cryptobullshit from happening. 

Not all, at least from me using it with firefox. I couldn't find any sites opening a separate window, so maybe UBlock is preventing those but I'm fairly certain that some pages worked as I went to some of the sites from the article and usage spiked way up. (Also to clarify, some of the sites were blank with just the script so I'm fairly certain that it isn't a false flag for that type of page.)