How to Block Cryptomining Scripts in Your Web Browser

As the value of cryptocurrencies like Bitcoin and Monero has soared, a more sinister trend has emerged. Cybercriminals have found ways to exploit the computing power of unprotected computers for cryptocurrency mining. These calculations require significant CPU resources and electricity, so hackers use mining scripts in browsers to illegally harness other people’s computers (a practice known as cryptojacking) to mine cryptocurrencies for free.

What Is Cryptojacking?

Like ransomware, cryptominers are not a new phenomenon. Since around 2011, it’s been possible to use computer resources to mine Bitcoin without specialized or powerful hardware. However, cybercriminals only began developing malware for this purpose after the cryptocurrency boom in mid-2017.

They realized that by infecting someone else’s computer with malware, they could force it to do the mining work while the criminals pocketed the profits. Multiply that by 1,000 or even 1,000,000 infected computers, and it’s easy to see why malicious cryptominers have become so widespread.

Attackers have also increased their profits by combining different types of malware. For example, a user who clicks a phishing link or opens a malicious attachment might get infected with both cryptomining malware and ransomware. The attacker chooses which to activate based on factors like the computer’s hardware and software configuration and which attack is likely to be more profitable.

How Illegal Cryptomining Works

Cybercriminals use various methods to infect computers, from targeting individual PCs and mobile devices to compromising popular websites and spreading malware to all visitors. Phishing remains a highly popular infection method. In some cases, worm components are used, allowing the malware to spread across networks from one machine to another.

The EternalBlue exploit, which was used to spread the WannaCry ransomware during the 2017 global epidemic, is still used to distribute malicious cryptomining software. Unlike ransomware, most cryptomining victims have no idea their resources are being stolen, except for a vague sense that their system is running slower than usual.

Fake software updates are another common infection method, such as malicious downloads disguised as legitimate Adobe Flash Player updates. Another widespread tactic is injecting a malicious mining script into a legitimate website or an online ad block displayed on many sites. When a victim visits the site or their browser loads the ad, the cryptomining process begins, stealing resources and profits without the user’s knowledge.

Cryptomining malware developers have learned from early mistakes. Today, it’s rare to see malware that uses 100% of a victim’s CPU, which would cause noticeable slowdowns and prompt users to take action. Newer cryptomining malware is more subtle, using only about 20% of CPU power and running intensive calculations during idle times. This allows cryptominers to steal resources undetected for long periods.

Worse yet, you don’t need to be a highly skilled programmer to get into illegal mining. Like other malware kits, cryptojacking-as-a-service can be purchased for as little as fifty cents. The privacy and anonymity features of some cryptocurrencies, like Monero and Zcash, also make it much harder to track and catch criminals.

Notorious Cryptojackers

• Smominru: Perhaps the most infamous cryptocurrency botnet, Smominru consisted of over 520,000 machines and earned its operators more than $3 million in Monero by January 2018. It was based on the EternalBlue exploit, also used in the WannaCry ransomware epidemic.
• BadShell: Smart cryptominers like BadShell hide in legitimate processes such as Windows PowerShell, running hidden mining scripts. Most traditional antivirus programs can’t detect this threat because they trust signed Windows executables by default.
• Coinhive: Originally designed as a legitimate website monetization tool, Coinhive’s mining code became the world’s largest cryptojacking threat.
• MassMiner: MassMiner is notable for using multiple exploits for different vulnerabilities in a single payload. Exploiting unpatched flaws in Oracle WebLogic, Windows SMB, and Apache Struts, it earned its creators about $200,000 in Monero.
• Prowli: Prowli is a large botnet of over 40,000 infected web servers, modems, and other IoT devices used for cryptocurrency mining and redirecting users to malicious sites. Part of Prowli is a password-guessing worm that helps spread the Monero miner. In some cases, the botnet also installs backdoors on infected systems.
• WinstarNssMiner: In just three days in May 2018, WinstarNssMiner infected over half a million systems. If it detects effective antivirus software, it stays dormant, activating only on poorly protected systems. Worse, trying to remove WinstarNssMiner can crash the infected system.

The Cost of Cryptomining

To understand cryptomining, it’s important to know how cryptocurrencies work. These digital currencies are based on cryptography (hashing algorithms) that record financial transactions. Only a certain number of hashes are available, which helps determine the value of each unit.

Creating new cryptocurrency units involves solving complex mathematical problems. The first person to solve the problem earns a reward in that cryptocurrency. This means legitimate miners must invest in server farms, massive amounts of electricity, and cooling systems to maintain mining efficiency as the number of available coins decreases.

The Spread of Cryptomining

Browser mining scripts aren’t inherently malicious. Some websites experiment with them as a potential revenue source to replace online ads. For example, Quartz was one of the first sites to try this approach, asking users for consent to use their computers’ resources in exchange for access to the site.

Unfortunately, criminals have abused this idea. Instead of investing in the infrastructure needed for legitimate mining, they use browser mining scripts to avoid those costs. Whether it’s Coinhive offering Monero mining tools for websites or alternatives like EObot and Awesome Miner using browser-based Bitcoin miners, criminals have plenty of tools at their disposal.

How to Tell If Your Computer Is Infected

If your computer suddenly slows down or your battery drains unusually fast, you might have been compromised. How can you check?

1. Open the Windows Task Manager or MacOS Activity Monitor and click on “Processes.”
2. If you see your browser using excessive resources, close and restart it. Unfortunately, this won’t tell you which site was running the mining script.

It can be hard to notice. While older scripts maxed out your CPU, newer cryptomining scripts use only up to 20%, making them harder to detect.

How to Stop Cryptomining in Browsers

Although these attacks are harder to identify, there are steps you can take to reduce your vulnerability to browser-based cryptomining.

Use Browser Extensions

Most popular web browsers now support extensions that can help block cryptomining attacks. These include both browser-developer solutions and open-source add-ons. For example, No Coin and MinerBlocker monitor suspicious activity and block attacks, and both have extensions available for Chrome, Opera, and Firefox.

Ad-Blocker Software

With the rise of cryptomining malware, many ad blockers now include Coinhive blockers that filter out mining scripts in your browser. If you use an ad blocker, make sure to enable this script-blocking feature.

Disable JavaScript

If you want to block certain attacks completely, most browsers allow you to disable JavaScript. However, many legitimate sites still use JavaScript, so disabling it may cause problems.

Block Domains

You can also block specific domains you suspect of cryptomining. Open your browser’s settings menu and block the URL. To block Coinhive, for example, copy and paste https://coin-hive.com/lib/coinhive.min.js into the block list.

Conclusion

Blocking mining scripts in your browser is an important step to ensure your system’s integrity and performance, and it’s not difficult to take the necessary precautions to protect your computer.

However, keep in mind that many cryptojackers today don’t rely on browsers. Instead, they are standalone programs that directly infect your system.

Hopefully, you’re using licensed antivirus software. While there are many free antivirus options on the market, are they enough? That’s up to you to decide!