Coinhive mining – a victimless crime?
Coinhive delivered a clever piece of software in September with very little fanfare. Website owners were asked to create an account with Coinhive and then run their application on their websites. The software was an in-browser java script app that allowed the host website use the visiting people’s CPU’power to mine for alt coin Monero.
Visitors were unaware of this CPU filtering, or stealing, and may only have spotted that their machine had slowed down or their fans suddenly revved up.
Typically the additional electrical costs per stolen CPU ran in the region of a few dollars per month, but it all adds up of course for the website miner if they can get multiple visitors ‘donating’ their CPU.
Sophos Senior Technologies Paul Ducklin is calling out the practice. ‘Here at Sophos we don’t agree with the subterfuge,’ he says. ‘We are calling it parasite-ware. The donating CPU may not be actually damaged and the energy costs next to minimal in most cases, but it is permission-less and therefore unacceptable.’
Ducklin compared it to an employee driving to a restaurant for lunch and the loaning the company car to a stranger to run around the corner to get groceries. ‘They might not use much petrol, there may be little or no wear on the actual car, but it’s not really on, is it?’
Ducklin has a point, especially as the software exploded over the internet in a number of ways. He did a trawl of URLs that installed the CoinHive and could find very little to connect or unify them. ‘None of the big brands did it of course, but there was a strange mixture of websites that did not exhibit any patterns I could detect.’
Of course, an auxiliary action happened when hackers took to the idea. The actual mining key for the destination money is anonymous and impossible to trace, so many websites were actually hacked, the software installed without the permission or even awareness of the owner and funds trafficked that way.
‘It could also be an employee of a company that decided that this was a cool way of earning some extra free money,’ said Ducklin. ‘There was a high profile case of in Australia where an employee decided the rendering macs used for cartoons for a broadcasting station were idle and could be used for this purpose. In this case the costs were high and discovered as a result.’
‘I’m not sure if he was fired or not,’ says Ducklin, ‘but it certainly shows up how the Coinhive app spread – a mixture of website owners feeling it was okay, employees thinking it was a good idea or hackers trawling through stickie sites looking for extra income.’
The popularity of the Coinhive app was driven by the rise in alt coins generally. Maybe the slow down in price might relax the speed of adoption. ‘We posted graphs on our blog which showed the rise in price of Monera and alt coins in general and the speed of adoption,’ says Ducklin. ‘It was fast and furious.’
Coinhive went public via Pirate Bay, a site offering fast download speeds. It decided that rather than pester its clientbase with advertising, it would simply borrow its extra CPU power. When it went public, all hell broke loose with many complaints.
‘Pirate Bay, like the name, has an irregular reputation. But it did two things. It alerted people to the Coinhive app and it also called out the position on whether it was victimless or not, and if switching unwanted advertising with possibly unwanted CPU approbation was okay,’ Ducklin says.
To actually make money mining Monero the minder would need multiple visitors all spending at least ten minutes on their sites. ‘But I guess if the miner was making small money from each visitor it would seem like harmless appropriation of their CPU,’ he says.
Coinhive suggested that miners tune down how much of the visiting CPU they were borrowing but in many cases this was not done resulting in very angry visitors watching their computer totally slow down or stop. For the most part the public feeling is that stealing even unused CPU is not on, at least not without permission.
‘On the plus side, this may be a wakeup call to the Advertising industry,’ suggests Ducklin. ‘No one wants click bait, auto play videos with sound and popups. This might make the clever folk that work in that industry come up with some other form of advertising.
‘In the interim, we here at Sophos are blocking it. If you want to give away your CPU to strangers then at least give permission,’ he says.
He is not alone with other antivirus companies such as Malwarebytes doing similar. In an article in TheRegister, Malwarebytes said Coinhive was the second-most-commonly blocked domain by its users, with 130 million users expressing their disdain for the technology.
The publication quoted Adam Kuiawa, director of Malwarebytes as saying: “We do not claim that Coin Hive is malicious, or even necessarily a bad idea. The concept of allowing folks to opt-in for an alternative to advertising, which has been plagued by everything from fake news to malvertising, is a noble one. The execution of it is another story.”
A case of visitor beware.
As Ducklin pointed out, some sites claimed the mining was a genuine alternative to advertising. Ýet they still ran ads,’ he says. ’A question of having your cake and eating it.’
Since speaking with Sophos, Coinhive has responded to media interest and in a blog on their website confirmed they have released a new version of the software called AurthMine which insists on asking the client PC if they will allow the mining. This is good and bad in parts as the original, non-authorised version is still available allowing the host website to decide if they are going to be naughty or nice this Christmas. Given the projected income from the Coinhive craze to the owners of Coinhive is sizable it might be fair to assume those nice anonymous German programmers are playing both sides of the fence.