Coinhive is a software that can be installed in any website in order to earn Monero tokens. Using a JavaCript miner for the Monero Blockchain, users visiting a website can mine with the excess of CPU power. In this way, the webpage would not have to rely anymore in ad revenue to maintain the site.
What About Coinhive Injections?
Coinhive injections is the way to infect other websites in order to obtain profits from their visitors. This is not the way in which Coinhive is pretended to work. Coinhive should be run in the owner’s website and not on a third one.
One of the first cases discovered using this malicious injection, was with security.fblaster[.]com script. This script loaded the CoinHive Miner script. It was draining CPU power from the visitors in order to mine Monero tokens. Anyway, the miner needs lots of users in order to mine a significant amount of the virtual currency. Magento and WordPress were some of the webpages that suffered from these Injections.
CoinHive Answer to the Problems
Some anti-virus programs and ad-blocking software started to show alerts and block the code. CoinHive decided to improve the code and provide a better product for website owners. The team made the miner ask visitors whether they wanted to use their computing power or not. In addition to it, CoinHive introduced a new domain AuthedMine.com to avoid problems with the coinhive.com domain. This last domain got blacklisted by some security vendors due to abuse of the system. The Old Version of CoinHive still works, allowing websites to decide if they want to ask users or not.
Unobtrusive Miner Injection in WordPress and Magento
Another way of using the Miner Injection was in WordPress and with a specific encrypted code. The code (“eval(function(p,a,c,k,e,d)…”) was added to a WordPress file. This injection was able to use less CPU load, being “friendlier” to the visitor. In this way, it is more difficult for the user to notice an increase in the CPU power load.
In Magento, hackers decided to inject a script that looked different from the other codes. 245 empty lines were added in order to make the code invisible without scrolling.
Should I be worried?
No. Basically because the infection is not a massive one, as explains blog.sucuri.net. There are different codes and not many sites share the same type of this malicious code. There is an estimated of 500 infected WordPress sites.
Some webpages are using both, aggressive ads and the CoinHive miner in order to maximize profits. Even when this is not the main idea behind CoinHive team.
The main advice for webmasters is to keep their site secure always, analyzed and monitored. Doing so, it will reduce the possibility of finding unauthorized codes or CoinHIve injections.
Images courtesy of Pixabay and blog.sucuri.net