Security News

UPDATE: Arenavision site now clean: Hackers mine cryptocurrency Monero using visitors’ browsers without their knowledge

Michal Salát, 29 January 2018

Hackers mine Monero using visitors’ browsers without their knowledge

Update Monday, January 29, 2018 4:00 PM CET: Arenavision reached out to Avast on Twitter, claiming their site was hacked on January 16, 2018. Avast reexamined the JQuery file and can confirm the site is now clean and does not contain any mining algorithms. The below post has been updated to reflect this.

A popular site used to stream sporting events such as soccer, basketball, tennis, and other sports is mining cryptocurrencies using CoinHive, without site visitors’ permission. The site, arenavision[dot]in, is mostly visited by Spanish users, followed by Portuguese, and Mexican users, according to Alexa.

Crypto coins are generated by solving a complex mathematical problem that meets certain criteria. The result confirms a set of transactions. If such result is found, the first miner to publish it receives a reward and the transaction fees from the given set.

Various crypto coins use different algorithms, but most of them have been implemented in miner applications for CPUs and GPUs. JavaScript is a programming language used to implement a miner application and is supported by most browsers.

It isn’t surprising to see a site like Arenavision being abused for mining. The longer visitors stay on a page, the more can be mined. Soccer games, for example, last 90 minutes and most viewers probably watch entire matches, giving hackers time to mine.

Most JavaScript miners mine Monero (XMR). This is because the mining algorithm is suitable for computations on CPU, whereas mining BitCoin (BTC), for example, on CPU doesn’t make much sense due to the algorithm and mining difficulty.

According to SimilarWeb, Arenavision was visited 6.6 million times in December, with the average visit duration being about three minutes and 30 seconds. Taking into consideration most visitors probably visit the site using a laptop or PC, for a better viewing experience, we estimate six million visitors frequented the site using a laptop or PC in December.

We roughly estimate that $840 is earned on a monthly basis, based on the site data from December 2017, just from visitors going to the Arenavision homepage. If this had gone unnoticed, hackers would have continued profiting from the miner. We calculated the estimated monthly profit by first calculating my computer’s hashrate (40 hashes per second) using CoinHive, which is the service that was used to mine, and using the site CryptoCompare to calculate how much money I would earn if I mined non-stop on my work PC for a month. As we know, the average time spent on the website was three minutes and 30 seconds in December. I also took into consideration that CoinHive gets a 30% pool fee, which yields $360.

We were, unfortunately, unable to find sufficient data to calculate how much was earned by mining on arenavision2017[dot]ga, the site Arenavision users are redirected to, to view sporting events.

While still in its infancy, cryptomining via websites falls into a bit of an ethical gray area. Although Arenavision claims their site was hacked, a few websites already fairly use cryptocurrency miners for financial gain, providing site visitors with the option to view ads, or enjoy an ad-free experience in exchange for mining.

However, in most cases, mining scripts are installed and run without notifying users. Running mining server farms to legally and quickly mine cryptocurrencies requires a high financial investment both for the infrastructure and electricity. To avoid high costs, many are starting to mine using browser code, using existing PCs of random, unknowing users to mine and make a profit.

Cryptocurrency mining programs cause the browser to perform at a slower rate, exhausting a system’s battery power faster than usual. Visitors of websites will notice their browser lagging or their computer running more slowly and noisily, but not much else.

Avast considers websites that mine for cryptocurrencies without asking for users permissions malicious and blocks scripts that try to mine in the background, behind users backs. We also block known, malicious mining programs.

How to find out if your browser is secretly mining, and what you can do about it

In addition to using antivirus products that detect unwanted browser mining, there are a few other strategies you can employ to see if your browser is mining:

  • Check to see what scripts your browser has loaded. If you are registering significant CPU load yet there is only one tab in your browser and you are not running anything that should put significant load on your CPU, then odds are you’re being used to mine cryptocurrency.
  • If you discover that a site you visit is mining, and you use an ad blocker that lets you add additional URLs to their “block” list, add this website to your list.
  • Search the Chrome Web Store—or something similar—for “miner blockers” and see what comes up. Developers have already created ways to automatically detect mining and stop it from occurring.