Real Mad-quid: Murky cryptojacking menace that smacked Ronaldo site grows

They’re taking our processor cycles

Cryptojacking is well on its way to becoming a new menace to internet hygiene.

On some sites, internet publishers are making money by using the spare processor cycles of visiting surfers to mine cryptocurrency, using scripts running in the background on pages to mine coins. In other cases, hackers have planted JavaScript on pages that covertly harvests crypto-cash for the miscreants – a process that has become known as cryptojacking.

Dodgy code capable of mining a digital currency called Monero mysteriously surfaced on TV giant late last month, and then appeared on the official website of Portugal and Real Madrid soccer ace Cristiano Ronaldo last week.

The JS code that was on his website has since been removed, said security researcher Troy Mursch.

Both the Showtime and Ronaldo websites used software from Coinhive, which mined Monero. The Pirate Bay deliberately planted the mining code on its site before owning up to the "test" some time later. In other cases, the mining was either the byproduct of malicious adverts or run via legitimate but compromised websites, as in both the Showtime and Cristiano Ronaldo cases.

CBS's Showtime caught mining crypto-coins in viewers' web browsers


Only diligent nagging by security researcher Mursch (@bad_packets) over several days to the developers behind the Ronaldo site secured the admission that the script wasn't put there by them and the suggestion to talk to CR7's management company.

Ronaldo's people have yet to respond directly to The Register's repeated requests for comment. "Since the code on @Cristiano's was unthrottled, it was probably miscreants," Mursch told El Reg.

The amount to be made for criminals is normally quite small, perhaps into the thousands of dollars. High traffic sites would be able to generate a lot more through legitimate advertising.

For miscreants, cryptojacking offers a number of advantages even though it's less lucrative than serving up malicious ads that sling either malware or tech support scams.

Although some experts argue that crypto mining is a form of theft, it has the advantage of being much less likely to generate complaints. The technology exists in a grey area made more obscure because of the difficulty of knowing whether or not code is there with the permission of website owners or not. The presence of the code on sites does not affect their core functionality.

Coinhive touts itself as a way for website owners to quickly set up mining by using their JavaScript API. The technology is already being widely abused, as explained in a blog post by Malwarebytes here.

A list of sites running Coinhive can be found here. Another scripting nasty, dubbed CryptoLootMiner, has surfaced in other incidents. ®

Similar topics

Other stories you might like

  • Bill Gates says NFTs '100% based on greater fool theory' amid crypto cataclysm
    Plus: Non-fungible tokens for dummies

    Comment Microsoft co-founder Bill Gates has declared that "expensive digital images of monkeys are going to improve the world immensely."

    He was joking, obviously, though considering Gates's supposed connection to microchips in vaccines, one can never be too careful. What he's talking about are non-fungible tokens (NFTs), which came up at a TechCrunch event in Berkeley, California, on Tuesday. Specifically the Bored Ape Yacht Club variety.

    You know those kids' books where the picture is divided into three (head, body, legs) so you can turn different sets of pages to get a different image? That's what the Bored Ape Yacht Club is for those willingly parted from large amounts of money for the right to stand next to a picture of a cartoon chimp.

    Continue reading
  • Japan lets its banks and other entities issue stablecoins
    Wants private coins to have face value in Yen by 2023

    Japan's parliament has passed legislation allowing Yen-linked stablecoin cryptocurrencies, thus becoming one of the first countries – and by far the largest economy – to regulate a form of non-fiat digital money.

    The regulations stipulate that only banks and other registered financial institutions – like money transfer agents and trust companies – can issue the alterna-cash. Intermediaries, or those who are responsible for the circulation of the currencies, will be required to adopt stricter anti-money-laundering measures. The rules also define stablecoins as digital money and guarantee face value redemption.

    Japan's Financial Services Agency (FSA) floated this regime in a March 2021 proposal. Parliamentary assent for the proposal means it will come into effect in 2023. The regulations will apply to domestic financial institutions as well as foreign operations that target Japanese users. The research material supporting the decision relied heavily on trends in the US and Europe.

    Continue reading
  • Clipminer rakes in $1.7m in crypto hijacking scam
    Crooks divert transactions to own wallets while running mining on the side

    A crew using malware that performs cryptomining and clipboard-hacking operations have made off with at least $1.7 million in stolen cryptocurrency.

    The malware, dubbed Trojan.Clipminer, leverages the compute power of compromised systems to mine for cryptocurrency as well as identify crypto-wallet addresses in clipboard text and replace it to redirect transactions, according to researchers with Symantec's Threat Intelligence Team.

    The first samples of the Windows malware appeared in January 2021 and began to accelerate in their spread the following month, the Symantec researchers wrote in a blog post this week. They also observed that there are several design similarities between Clipminer and KryptoCibule – another cryptomining trojan that, a few months before Clipminer hit the scene, was detected and written about by ESET analysts.

    Continue reading
  • Even Russia's Evil Corp now favors software-as-a-service
    Albeit to avoid US sanctions hitting it in the wallet

    The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

    You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

    As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

    Continue reading

Biting the hand that feeds IT © 1998–2022