Hackers Injecting Coinhive Short URLs into Hacked Sites
According to security researchers at Malwarebytes, a large number of legitimate websites have been hacked to load short URLs unknowingly, generated using CoinHive, inside a hidden HTML iFrame in an attempt to force visitors’ browsers into mining cryptocurrencies for attackers.
“In the past weeks, our crawlers have catalogued several hundred sites using a variety of CMS all injected with the same obfuscated code that uses Coinhive’s shortlink to perform silent drive-by mining,” Malwarebytes said.
Malwarebytes researchers believe that the hacked websites they discovered are part of the same ongoing malicious campaign uncovered by Sucuri researchers.
Since the URL shortener loads using the hidden iFrame is invisible, noticing it on a web page will be quite difficult. The infected webpage then automatically starts mining until the Coinhive short-link service redirects the user to the original URL.
However, since the short-link redirection time is adjustable via Coinhive’s settings (using the hash value), attackers force visitors’ web browsers to mine cryptocurrency continuously for a longer period.
“Indeed, while Coinhive’s default setting is set to 1024 hashes, this one requires 3,712,000 before loading the destination URL,” said Jérôme Segura, a security researcher at Malwarebytes.
Moreover, once the required number of hashes have been achieved, the link behind the short-URLs further redirects the user back to the same page in an attempt to start the mining process once again, where the site visitor would trick into thinking that the web page has only been refreshed.
Crooks Also Attempts to Turns Your PC into Crypto-Mining Slave
Besides the hidden iFrame, researchers have found that cybercriminals are also injecting hyperlinks to other hacked websites in order to trick victims into downloading malicious cryptocurrency mining malware for desktops disguises as legitimate versions of the software.
“In this campaign, we see infrastructure used to push an XMRig miner onto users by tricking them into downloading files they were searching for online,” researchers said.
“In the meantime, hacked servers are instructed to download and run a Linux miner, generating profits for the perpetrators but incurring costs for their owners.”
The best way to protect yourself from the illegal in-browser cryptocurrency mining is to use a browser extension, like minerBlock and No Coin, that are specifically designed to block popular mining services from utilizing your computer resources.
- Hackers Favorite CoinHive Cryptocurrency Mining Service Shutting Down
- Hacker Hijacks CoinHive’s DNS to Mine Cryptocurrency Using Thousands of Websites
- D-Link MEA Site Caught Running Cryptocurrency Mining Script—Or Was It Hacked?
- Hackers Infect Over 200,000 MikroTik Routers With Crypto Mining Malware
- Nearly 2000 WordPress Websites Infected with a Keylogger