Hacking

Cryptocurrency Miners hidden in websites now run even after users close the browser

Some websites use a simple trick to keep their cryptocurrency miners scripts running in the background even when the user has closed the browser window.

Website administrators and crooks are looking with an increasing interest at JavaScript-based cryptocurrency miners due to rapid increase in cryptocurrency prices.

These scripts exploit the CPU power of their visitor’s PC to mine Bitcoin or other cryptocurrencies. Some websites use a simple technique to keep their cryptocurrency mining JavaScript under the radar and secretly running in the background even when the users close his web browser.

In many cases the scripts are used as an alternative monetization model to banner ads. Recently, the Pirate Bay was spotted using the Coinhive browser-based cryptocurrency miner service.

The scripts can mine cryptocurrencies as long as the visitors are on their site, they lost access to the computer processor and associated resources when the Window is closed.

Experts from security firm Malwarebytes have discovered that some websites use a simple trick to keep their cryptocurrency mining scripts running in the background even when the user has closed the browser window.

The technique leverages a hidden pop-under browser window that is opened by the mining window and that fits behind the taskbar and hides behind the clock on Microsoft’s Windows computer.

This hidden window is used to run the crypto-miner code consumes CPU cycles and power from visitor’s computer until he will not spot the window and close it.

“The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a pop-under which is sized to fit right under the taskbar and hides behind the clock.” reads the blog post published by MalwareBytes.

“The hidden window’s coordinates will vary based on each user’s screen resolution, but follow this rule:

  • Horizontal position = ( current screen x resolution ) – 100
  • Vertical position = ( current screen y resolution ) – 40

If your Windows theme allows for taskbar transparency, you can catch a glimpse of the rogue window. Otherwise, to expose it you can simply resize the taskbar and it will magically pop it back up:”

The technique is simple as efficient, it is difficult to identify and able to bypass most ad-blockers. Experts observed that the cryptocurrency miners run from a crypto-mining engine hosted by Amazon Web Servers.

“This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient.” continues the post.

“The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running.”

To remain under the radar, the code of cryptocurrency miners runs in the hidden browser maintains CPU usage threshold to a medium level.

These scripts work on the latest version of Google’s Chrome web browser running on the most recent versions of Microsoft’s Windows 7 and Windows 10.

Users can spot miner windows by looking for any browser windows in the taskbar or running the Task Manager on their computer to ensure there is no running browser processes that are consuming CPU resources.

Some antivirus software block cryptocurrency miners, an alternative is represented by web browser extensions, like No Coin, that automatically block in-browser cryptocurrency miners.

Unfortunately, No Coin still not support Microsoft Edge, Apple Safari, and Internet Explorer.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – cryptocurrency miners, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Over 1,400 CrushFTP internet-facing servers vulnerable to CVE-2024-4040 bug

Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…

49 mins ago

Sweden’s liquor supply severely impacted by ransomware attack on logistics company

A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …

3 hours ago

CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog

CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…

14 hours ago

CISA adds Microsoft Windows Print Spooler flaw to its Known Exploited Vulnerabilities catalog

U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…

20 hours ago

DOJ arrested the founders of crypto mixer Samourai for facilitating $2 Billion in illegal transactions

The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…

21 hours ago

Google fixed critical Chrome vulnerability CVE-2024-4058

Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics…

1 day ago

This website uses cookies.