Polidori was alerted by his network’s security tools, and decided to dig a little deeper into the extension. He found it was downloading and running a file named cryptonight.wasm from Coinhive to secretly mine the cryptocurrency.
The plugin’s developers didn’t mention the presence of the cryptocurrency miner in the URL shortener and, as such, Polidori decided to make sure nothing was tampered with and installed it to a new Chrome instance. He found out that, once again, his CPU usage was at 95 percent whenever Chrome was opened. He stated:
“To remove any doubts that my installation could be tampered, I tried to install the extension to a new Chrome instance. Unfortunately I got the same result, so we can conclude that it was intentionally designed.”
The extension had nearly 15,000 downloads when Polidori found the miner in it, and quickly informed Google so it was pulled from its marketplace. Using visitor CPU power to mine Monero isn’t, by itself, malicious, but using it without user consent is. On various forums, users have stated that they would gladly donate some of their CPU power – presumably not 95 percent – to get rid of ads on websites they visit.
Last month, another Google Chrome extension called “SafeBrowse” was also pulled from the marketplace, as it was using another cryptocurrency miner. Hackers have already managed to infiltrate websites – including the popular CBS-owned Showtime websites – to include Coinhive’s code in them and reap the profits.
Responding to criticism, Coinhive – which is often used for legitimate purposes- started developing a new Monero miner, AuthedMine, which first asks for user permission before mining, instead of secretly doing it. The organization’s mining code got so popular, that a competitor, Crypto-Loot, emerged and actively advertises that users won’t notice its running, and that it can be used without user consent. It adds that “we aren’t going to tell you how to run your business.”
Last month, Kaspersky Labs revealed that 1.65 million computers had been infected with mining malware and placed in massive botnets this year. Security software vendors have already caught up with the practice, and Malwarebytes, ad blockers, and anti-virus software have already started blocking Monero mining code.
Featured image from Shutterstock.
Last modified: May 21, 2020 9:10 AM UTC