Guerrilla Mining - Danger from your Browser

in #mining7 years ago (edited)

Over 500 million website users have been abused for cryptomining. What is guerrilla mining? Who is affected? What dangers can arise from this? I will answer these and other questions in this article.

What is guerrilla or JavaScript mining?

More than 500 million PCs are secretly abused for cryptomining, according to Adguard, the ad blocker company. The profit from guerrilla and JavaScript mining is captured by resource robbery, without the visitors of the affected websites noticing it at all, as welivesecurity reports.

If you visit a website infected with harmful JavaScript files, this JavaScript file is executed during the visit, tapping the computing power of your PC. The computing power thus gained is used to dig crypto currencies such as Monero. Monero's mining in particular is currently highly lucrative. Adguard estimates that guerrilla marketing will generate a total profit of 43,000 US dollars. As this is currently spreading, appropriate measures must now be taken.

Guerrilla or JavaScript Mining as a source of income for websites?

The JavaScript code can be consciously implemented by the website operator in order to open up a new source of income. For this purpose, there are providers such as Coinhive and JSEcoin who provide such Javascript codes. However, this usually happens without informing the visitors. Since only a few affected persons monitor the CPU performance of their own devices without the visitors noticing it. However, this can bring the PC to its knees, but at least it shortens the life of the equipment and increases the cost of electricity, because this inefficient JavaScript mining consumes enormous amounts of energy. When using these JavaScript codes, website operators are therefore required to inform their own visitors and to offer them the option of refusing or accepting an opt-in. Unfortunately, this is hardly ever happening.

Example: The JavaScript code of JSEcoin currently contains the block "load. jsecoin. com" (23.12.2017 - 11:45 a. m.). In order to check which web pages inform your visitors about this procedure, I searched websites listed at Alexa via Nerdydata.com. At this time 185 websites were found that have implemented the JavaScript code of JSEcoin.

None of the 185 websites checked by me informs the visitors about the fact that in the background sometimes enormous computing power is tapped. I'm working with a current MacBook Pro and using the Dr. Cleaner software, I usually notice 100% CPU performance! So it is not taken away quietly and secretly to remain unnoticed, no, it is reached with both hands. If you want to check this yourself, simply put the snippet "load. jsecoin. com" (without quotation marks) into the search slot at Nerdydata. com and browse through the websites listed there.

What I can't validate at this time is how many of the 185 web pages have intentionally implemented the JavaScript code. For example, it is conceivable that the website administrator has introduced this code without the website owner being aware of it. For example, the JavaScript mining code of Coinhive was found on the official website of Christiano Ronaldo (which has been removed in the meantime). I do not, however, assume that Christiano Ronaldo has implemented this independently, or would that - in his wage bracket - be simply disproportionate. That would be completely ridiculous. A website administrator might have wanted to earn some extra money here. In conclusion, I cannot, of course, say this reliably.

A further problem arises from the vulnerabilities of the JavaScript mining codes, because as Sucuri reports, these codes have probably already been infiltrated by hackers. We probably don't want to know what happens in the infiltrated or hacked JavaScript codes. In the best case, a hacker draws off all or part of the computing power gained there in order to gain the crypto coins it has won.

How can I detect guerrilla or JavaScript mining?

  • The laptop becomes hot when visiting affected web pages and the fan blows to the limit. Solution: Software such as Dr. Cleaner monitor CPU performance. Since the Javascript code is only executed when you visit the website, this allows you to check whether the performance of the CPU increases when you visit the website.
  • If the battery of your smartphone and/or tablet suddenly runs out unusually quickly.
  • You can check the source code of websites you visit frequently. In the Chrome Browser, for example, use the right click, then "Search page source code" and then search it for "Coinhive" or "JSEcoin". If JavaScript Mining is running in the background, avoid this website.

How can I protect myself against guerrilla or JavaScript mining?

Currently Google Chrome is working on a solution to prevent this already in the browser (default) and also the established virus scanners have this on the screen and raise an alarm. It is only a matter of time until the widely used AdBlockers also prevent JavaScript mining. Also, some resourceful toolmakers are currently jumping on this trend and offering browser add-ons for Google Chrome and Firefox to prevent this. However, you should also be careful not to fall into the next trap (false flag - under false flag).

The two add-ons No Coin and minerBlock don't seem to be completely wrong. Both publish the source code on GitHub (here and here) and thus it is transparent understandable what the add-ons do exactly. That's how you do it right. There is also NoScript (for Firefox) or ScriptSafe (for Chrome). However, this does not only completely disable JavaScript Mining, but also JavaScript completely and thus many applications on websites or even entire websites can no longer be used. It would be too radical for me, but everyone has to weigh that up for themselves. However, I did not want to withhold these solutions here.

My personal opinion about JavaScript Mining

Basically I find the exchange - computing power for content - very interesting. In this respect, transparent and clearly and unambiguously communicated via opt-in - in comparison to annoying advertising - an option with the potential to roll up the advertising industry from behind.

For Wikipedia this can be an interesting solution to get out of the dilemma with donations. If we are honest, it is just as annoying as advertising and therefore badly resolved. Moreover, the proportion of those who actually donate is incredibly low. If Wikipedia - at the beginning of the visit - asks me if I want to transfer 5-20% of my computing power while I am on Wikipedia, to ensure that I am always up and running, I will be there immediately. An explanation of what exactly happens, a simple slider in which I can independently define how much computing power I am willing to give today and two buttons "Start" and "Stop". Ready. I think this is really great and I would use it regularly.

What doesn't concern at all, the website is secretly using JavaScript mining to tap into my computing power. And vendors such as Coinhive and JSEcoin, which distribute insecure JavaScript codes infiltrated by hackers, are currently not a sensible solution. Anyone who recognizes this demand and is now able to serve it properly will have a firm place in the market, I am sure of that.

How do you feel about Guerrilla Mining / JavaScript mining?

Best regards
Oliver

Picture: © Pixabay.com

Sort:  

This is a Bot Call Test @originalworks

The @OriginalWorks bot has determined this post by @oliverschmid to be original material and upvoted it!

ezgif.com-resize.gif

To call @OriginalWorks, simply reply to any post with @originalworks or !originalworks in your message!

Resteemed by @resteembot! Good Luck!
The resteem was payed by @greetbot
Curious?
The @resteembot's introduction post
Get more from @resteembot with the #resteembotsentme initiative
Check out the great posts I already resteemed.

Congratulations @oliverschmid! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

You got a First Reply
Award for the number of upvotes
Award for the number of comments
Award for the number of upvotes received
Award for the number of comments received

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

You got to credit your picture source if it is not yours, my friend.

Hi, thanks for your comment. Of course, I purchased a license for the image from Adobe. I added the credits to the article (© gangiskhan / stock.adobe.com). Greetings, Oliver

This is a great post on a timely topic. Upvoted & resteemed to my followers!

Hey Arun, thanks for the Support. I follow you now :)

In my opinion is better than ads. Sure, there must be an ui option showing user what is going on, and allow to turn it off

Hey misterk0, that's exactly my point! Thanks for your comment.

Hi. I am @greetbot - a bot that uses AI to look for newbies who write good content.
I found your post and decided to help you get noticed.
I will pay a resteeming service to resteem your post,
and I'll give you my stamp of automatic approval!
greetbot's stamp of approval