Security News

Two true — and telling — tales about cryptomining from this week

Avast Security News Team, 16 February 2018

Two stories this week raise critical points to discuss and some big questions to ask about cryptomining.

At Avast, it’s our business to stay on top of security risks that affect computer users around the world. As cryptocurrencies grow in popularity — as well as the inevitable cryptomining that follows — this is an area we are committed to closely monitoring. Here are two stories from the week that caught our attention.

Thousands of websites hit by cryptominer-poisoned plugin

On Monday, if you visited one of many official government websites, including Indiana state, the US courts, the UK’s Information Commissioner, the UK’s National Health Service, departments of the Australian government and many, many others, you very likely unwittingly mined the cryptocurrency Monero, due to malware.

It was not a specific site that was compromised, however: rather, it was a browser plugin called Browsealoud that had been hacked to allow the Coinhive miner to hijack the user’s CPU to mine the cryptocurrency without the user’s knowledge or consent.

Security researcher Scott Helme discovered the compromised plugin, but how did it happen? Here’s what we know: the legitimate script was hacked on the Amazon server where it lives and where it forms part of the supply chain of code and technologies that come together in your browser to deliver content and functionality. What we don’t know is how the hacker accessed the code, nor do we know who the hacker is.

Browsealoud acted quickly to take down the infected code and replace it with a safe version of its plugin. But the knock-on effect meant that many of the affected websites had to go offline while their admins checked the integrity of their content and technology stacks.

While this particular vulnerability was fixed pretty quickly, it still points to a larger concern — that scripts and plugins implemented “off the shelf,” developed by third parties and hosted on public cloud infrastructure such as AWS, could be similarly hijacked to spread much more damaging malware in the future.

In his blog post on this vulnerability, security researcher Troy Hunt offers two key mitigating techniques. The first mitigating technique is SRI, or Sub Resource Integrity, which means that sites can verify the safety of the third-party scripts they rely on by checking the hosted script’s hash against the one for the verified code. If the hash doesn’t match, the script doesn’t run, and the user is safe.

The second technique is CSP, or Content Security Policy. As Helme describes it, this policy defines what resources the browser can load by whitelisting known safe content. Anything it doesn’t recognize, it won’t load.

Sounds great, right? Well, yes and no. As Martin Hron, Avast Threat Labs researcher, points out, “Many authors and providers of content are used to doing things the ‘old-school’ way, and sometimes don’t even know about these options.”

“I would definitely recommend using features like CSP or SRI,” Hron continues. But he’s quick to point out that this is the “ trade-off between comfort and ease of website implementation and maintenance versus security,” which means that sometimes people pick the easier option rather than the secure option.

And, using the SRI technique means that every time the owner of a plugin updates their code, the new hash has to be pushed out to browsers. As Hron points out, “Every time you use a script from a third party, you have to consider your trust in that source.”

As the website owners recover from the Browsealoud vulnerability, it’s important that we start a critical conversation about trust — and specifically about how and where the bits of code that make up the software supply chain are developed, hosted, and implemented.

Salon offers readers a choice: see the ads or run a cryptominer

Cryptominers aren’t necessarily malware; as visitors to Salon.com discovered this week, sometimes they’re deliberately implemented on websites.

While in the previous story, Coinhive was maliciously and secretly injected into the Browsealoud plugin, Coinhive actually markets itself to websites as a way to monetize visitors who block ads.

Of course there are plenty of good reasons to block ads: to mitigate the risk of malware being injected via unsuspectingly compromised adtech networks, to reduce distracting visual clutter on a website, to stop website slow-down due to third-party advertising content and scripts being loaded, and to reduce the number of scripts that track user activity and invade privacy.

However, ads are the financial lifeblood for publishers. So as users find more efficient and ferocious ad blockers that disable the relentless pop-ups, sounds, and alerts that get between them and the content they want to read, perhaps it is not surprising that publishers are simultaneously looking for new ways to monetize their sites. One of these ways is to offer readers a choice: to see the ads, or to block the ads and instead run Coinhive during their visit to the site.

Salon drew fire from users for the less-than-transparent way it positioned the latter choice. Visitors with ad blockers enabled were confronted with a popup that coyly offered the following: “Block ads by allowing Salon to use your unused computing power.”

Critics were quick to point out that there’s more to it than simply letting Salon “use your unused computing power.” David Gerard, author of a book on blockchain technology, tweeted that Salon was telling a “straight-up lie about how computers work.”

It’s understandable why Salon has explored this route: as publishers chase ads and revenue and try to come up with ways to monetize their content, ad blocking is a huge problem. Content is, after all, expensive to produce.

Here’s the big question: in exchange for blocking ads, should you let Salon – or any other site – run a cryptominer while you browse their content? Martin Hron of Avast Threat Labs says it’s “the double-edged sword” of ad/monetising world.

“If the site is asking you for permission to allow the trade-off between ad-based or cryptomining in return for free content, and asks you for that in a transparent way, ideally with a time-limited validity of such given permission, then I think it’s safe, and from my standpoint, a clean way to do it,” Hron says.

Ultimately it’s your decision. But here’s what you should know: running a cryptominer, even knowingly, will hammer your CPU and slow down your laptop. Salon rather opaquely acknowledges this, saying that “your fan may turn on for the same reason that your computer’s fans turn on when doing any other intensive task, like playing a computer game or watching a full-screen video.”

Salon may be the first mainstream website to go down this route to monetize its content, but it won’t be the last, and other publishers will be watching closely to see how this experiment pans out.