Since web browsers and cybersecurity specialists have come up with an array of tools that scan the internet and block the mining script, hackers have updated Coinhive so it could still function just as well. In short, Coinhive has an “URL shortener” service. The URL shortener indeed shortens any URL but adds the mining script in it. Then when someone clicks on the short URL some time passes before the service redirects them to the original URL. During that time his devices mines cryptos.
Researchers at Malwarebytes said:
“In the past weeks, our crawlers have catalogued several hundred sites using a variety of CMS all injected with the same obfuscated code that uses Coinhive’s short link to perform silent drive-by mining.”
This completely new scheme to utilize Coinhive was first discovered at the end of May by Sucuri researchers. Most likely both Sucuri and Malwarebytes analysts have stumbled upon the very same malicious Coinhive campaign.
Jérôme Segura from Malwarebytes believes that the short-link redirection time can be adjusted via Coinhive’s hash value settings. Literally, this means that bad actors can force devices to their maximum for longer periods.
“Indeed, while Coinhive’s default setting is set to 1024 hashes, this one requires 3,712,000 before loading the destination URL,” Segura said.
What’s more, once the time passes the script redirects back to the previous page simulating a page refresh. Obviously, the idea is to trick the users to start the process all over again. On the top of that, hackers have created software copycats that look like legitimate software but actually force devices to mine.
“In this campaign, we see infrastructure used to push an XMRig miner onto users by tricking them into downloading files they were searching for online. In the meantime, hacked servers are instructed to download and run a Linux miner, generating profits for the perpetrators but incurring costs for their owners,” researchers add.
The best way to protect yourself from cryptojacking attacks is to use browser extensions that detect and block unauthorized mining scripts. No Coin and minerBlock are crafted to do just that.