Pierluigi Paganini
September 26, 2017
Over the weekend, the websites of the CBS’s Showtime were found containing a JavaScript code that allowed someone to secretly mine cryptocurrency in viewers’ web browsers.
The websites Showtime.com and iShowtimeAnytime.com silently injected in the visitors’ browser the code to abuse processor capabilities to mine Monero coins. The hidden code typically consumed as much as 60 percent of the overall CPU capacity on computers while visiting the sites.
The scripts were written by Code Hive, an outfit that develops legitim JavaScript codes that could be added by webmasters to their sites in order to generate revenue as an alternative to serving advertising.
The money mined by the scripts are managed by Code Hive and paid to the website owners.
The CBS case appears very strange, it is unlikely that the entertainment corporation has placed the mining code onto its websites because it already charges subscribers to watch the TV shows online.
It is possible that hackers compromised the website to deploy the mining JavaScript code and remove it before it was discovered, the script, in fact, worked during the weekend and disappeared on Monday.
I sincerely found also this hypothesis very strange, in my humble opinion an attacker that succeed in compromising a site like the CBS one could be more interested in delivering malware to its visitors and cash out its effort in another way.
The code was found between HTML comment tags used by the analytics firm New Relic, but it is unlikely the company would deliberately insert it.
Below the scripts on showtime.com and Showtime Anytime observed by El Reg.
and
New Relic told El Reg that the code was not deployed by its experts.
“We take the security of our browser agent extremely seriously and have multiple controls in place to detect malicious or unauthorized modification of its script at various points along its development and deployment pipeline,” states the company.
“Upon reviewing our products and code, the HTML comments shown in the screenshot that are referencing newrelic were not injected by New Relic’s agents. It appears they were added to the website by its developers.”
Of course, Code Hive knows who is behind the account linked to the mining code, but it doesn’t want to reveal it according to its privacy policy.
“We can’t give out any specific information about the account owner as per our privacy terms,” the outfit informed us. “We don’t know much about these keys or the user they belong to anyway.”
Recently a similar case occurred at the Pirate Bay website.
[adrotate banner=”9″]
(Security Affairs – CBS, Monero mining)
[adrotate banner=”12″]
