What's worse than annoying ads on a website? Crypto Miner on a website!
Over the last couple of weeks there has been a lot of talk about Coinhive, a service that claims to provide an alternative to advertising for monetizing site visits for site owners. All the site owner has to do is embed the Coinhive JavaScript code in their site in order to utilize site visitors' CPUs to mine the Monero cryptocurrency, with the payment delivered to the site owner's wallet. Sounds simple? Everybody wins? Not quite. Before we get into the bad, let's start with the worst: cybercriminals also hopped on this train.
We recently released detection logic in Trustwave SWG to block Coinhive. The short reason for this decision is because the end user is the only loser when it comes to Coinhive. For the long reason, including numbers, coins, cybercriminals and dollars, read on!
The hype started when The Pirate Bay began to test mining on their site as a replacement for ads. Unfortunately a typo in their code caused the miner to use up all available CPU cores, causing CPU usage for many users visiting the site to go up to 99%. Whether or not you believe it was a typo, this is will be an interesting data point for later on.
Let's face it, nobody really likes ads. We accept them as part of the reality of the internet just as we accepted TV and radio ads in their time. However, in some cases ads evolve into a monstrosity of pop-ups and pop-unders, endless confirmation boxes when you try to close them and, last but not least, malicious advertising. Sometimes even website owners, who only want to monetize a small slice of their site's real-estate, wind up having to deal with these intrusive ads trying to take over the entire page or infect their visitors. Given all of this it's not necessarily surprising when site owners are tempted to try an alternative to generating revenue which seemingly has a far less intrusive effect on the user experience. At least so they think.
The problem is that Coinhive uses the visitor's CPU to mine cryptocurrency (Monero/XMR specifically), and depending on the settings provided by the site owner, this mining process can eat up all of the machine's processing power, causing your browser to suddenly take up 100% of your CPU time. That is not something we consider a "better" alternative to ads.
Consider a developer working at a company, they kick off the compilation of some code and go to their favorite news site to pass the time until it's done. Unfortunately the site is using Coinhive, and suddenly compilation is taking a much longer time. Meanwhile IT receives a call from users complaining that their machines are slow. The IT department is confused since the machines are maybe a year old and the users claim all they have open is a word processor and maybe a website or two.
The above scenario may sound overly dramatic, but actually various research and surveys have looked into causes of annoyance and unproductivity for employees, and "slow computers" are consistently in the top 3 reasons.
Apart from the direct impact of your CPU being used up, there are also related issues such as generating more heat, generating more noise, and generating higher electric bills. Let's talk a little more about the latter.
We'll start off by explaining that mining cryptocurrency is essentially a tradeoff of computational resources for a currency that holds monetary value. A positive ROI is, of course, mining more than you invest and your investment here is mainly in the form of electricity to power the ongoing mining process. There is an entire industry formed around building machines that help optimize this balance, but we won't get too deep into that.
Instead, we decided to run our own little test and see what we come up with. We took a fairly standard desktop machine and measured its power consumption over the course of the day to get a baseline of its usual habits, then we had the same machine spend the next day on a website using the default Coinhive miner and this is what we found:
The machine we used consumed 1.212kWh more over a period of 24 hours, which doesn't really sound like much… How this translates into cost differs quite a lot between countries but we did look at a few numbers to get a better idea of price per kWh (all prices in USD):
In the United States the price is between 8 and 14 cents, so about $2.90 to $5 per month added to your electric bill. For unfortunate Hawaiians the price jumps up to 29 cents, or roughly $10.50 a month.
In Singapore, the tariff is 15 cents per kWh which adds $5.45 to the monthly bill.
In Germany, considered a fairly expensive European country in this regard, the price is 34 cents, or roughly $12.30 a month.
In Australia, the price is between 27 and 38 cents depending on where you live, so about $9.80 to $13.80 added to your monthly electricity bill.
As you can see, the variation is fairly wide as you examine different areas in the world, and additional factors such as overall consumption and times of day sometimes also affect these prices depending on where you live.
Of course, this is assuming the miner is running at full-force all the time, which might seem a little crazy until you think about how many corporate users actually turn their PCs off when they go home at the end of the day. As for the "full force" part, a decent site owner would limit this to something more reasonable, but that would require them to read the documentation on the Coinhive site and understand how this really works.
So one might claim that Coinhive is really just providing a platform and this is all on their users and how they use the service. However it certainly doesn't feel like Coinhive made any effort to encourage fair use of this.
Let's start with their miner guide:
Figure 1: Basic Coinhive miner instructions
Just embed the code and start! No further instructions on how to configure this. But surely they would have set some reasonable default values for this?
Figure 2: Default configuration options
So the default number of threads is set to the maximum available cores on the machine, and the default time to be spent idle is 0. The default is everything, all the time.
Which brings us back to the point from The Pirate Bay's story, with these sort of defaults a typo could very well be the difference between mining at a reasonable rate and full-force mining.
And if you're wondering how many Coinhive users did read the documentation properly, a security researcher on Twitter brought up the following question about a line from Coinhive's documentation:
Has anybody actually seen a website using #coinhive crypto mining in the background that tells their users about it?!? 🤔 pic.twitter.com/aOJAvBJVUD
— Armin Buescher (@armbues) September 29, 2017
We took this question as a challenge and ventured off to try and find such a user… And we did. So congratulations to Jonathan M. Hethey, you seem like an upstanding kind of guy!
It is always the responsibility of a developer using someone else's code to understand how it works, but it is also the responsibility of someone writing code of this nature to help people using it to make good use of the code.
Of course, Coinhive has no interest in helping users do that, which leads us to the topic of money.
30% of the mined currency goes to Coinhive themselves, the other 70% go to the site owner. The power company gets what the user pays for the mining process and the user themselves? Well, hopefully they get an internet browsing experience with no ads. We already know how much the power company makes off of this, but what about Coinhive and the site owner?
It's quite hard to predict profits from mining because it's a bit of a luck game as to who solves an equation first (to put it in simple terms), but the more processing power, or hashes per second (H/s) you have, the better your odds are for a payout. Based on this there are some sites to help you calculate your estimated profit over a period of time.
Luckily Coinhive published statistics on their blog regarding their hashrates on their first week:
Figure 3: Coinhive hashrates from their first week
As you can see, it's rising rather rapidly, but even taking into account rather conservative numbers of 5m H/s. Monero.how provides a calculator/estimator of profit:
Figure 4: Profit calculator on Monero.how
So for that hashrate the estimated profit is $2.96 million a year. That's $247k a month, $8.2k a day, of which Coinhive receives $2.4k daily. And end-users around the world pick up the bill.
Still not convinced?
We've all witnessed before how quickly the cybercrime community can adopt new trends when it sees an opportunity to profit, and we also know that it is already well-versed at injecting malicious code into compromised web servers. Typically this is exploited by injecting redirection code into the site, which then loads various additional redirects and ends up at an exploit kit landing page or some other form of client-side exploitation. Imagine if you could cut many of those steps out, and instead of having to set up an entire infrastructure to manage exploitation and worry about things like your exploit success rate, you could simply inject code into the server which will cause the site's visitors to mine cryptocurrency directly into your wallet. Not only that, site visitors couldn't even tell whether it was you or the site owner who put it there. Brilliant! Cybercriminals thought so too.
Looking at some of our telemetry on this we encountered one large campaign originating mostly from adult sites via PopAds network that repeatedly landed on this page:
Figure 5: download-xyz[.]com/yen/ – a landing page that doesn't do anything except mining Coinhive
What is far more interesting is that, along with HTTP referrers originating at PopAds, we noticed many random referrer domains with a ".bid" TLD that looked like PopAds urls and lead to this same miner at "download-xyz[.]com/yen/":
hxxp://bhbkfoybvrl[.]bid/uNDjIE[.]htm?i=5167412&m=1445646835&n=1506982948&k=2219369748&e=345&j=%21Knnn%[…snip..]VoFMxJJnZPSGazSP
hxxp://tvxcesibr[.]bid/p[.]asp?f=5167412&h=866654706&w=1506970531&m=2219366006&l=345&y=%[…snip…]i%2BA
hxxp://serve[.]popads[.]net/s?cid=5167412&iuid=427139971&ts=1506983115&ps=2219369825&pw=365&pl=%2[…snip…]V%2F
At first we thought that this might be some actor trying to impersonate PopAds, but the IPs of those servers were suspiciously close:
tvxcesibr.bid [216.21.13.14]
bhbkfoybvrl.bid [216.21.13.15]
serve.popads.net [216.21.13.10]
As we found out, these domains actually do belong to PopAds, and if you access them directly, you will find the Coinhive miner there as well. Wasn't this miner supposed to be a replacement for ads…?
Figure 7: tvxcesibr[.]bid – Miner only page
Figure 8: 216.21.13.10 – Miner only page
Another amusing story related to Coinhive is that of a site called BroMiner. The concept is a little like Coinhive for the end-user: you enter your wallet ID, click "start" and off you go mining some XMR and getting your share of the profit. The only problem here (well, except for the fact that if you wanted to mine XMR you could just do it or join a pool yourself) is that BroMiner appear to be using Coinhive on their own site, so not only are you paying an unspecified amount in fees to BroMiner themselves, if you were meant to be paid $100, this fee comes out of the $70 BroMiner received after Coinhive took their own 30% out of it. And that is just silly….
As site owners rush to embed Coinhive's code on their sites with the promise of riches, there is little to no information regarding who is behind Coinhive, their site only has a generic contact form and their domains are behind CloudFlare with the registration information protected by whoisproxy.
This creates an even more uneasy feeling about this whole situation, especially considering that site owners are loading code into their sites that Coinhive could change at any time.
In conclusion somewhere between malicious use, irresponsible use, and Coinhive's implementation, it seems that end-users always come out on the losing end of this deal and especially on a corporate level, (the core of Trustwave SWG's users) we felt it was in the best interest of our customers to block this behavior.
This blog post was co-authored by Simon Kenin and Anat Davidi.