• Please review our updated Terms and Rules here

Security warning about coin-miner

deathshadow

deathshadow

Veteran Member
Joined
Jan 4, 2011
Messages
1,378
Just a heads up, but recently a JavaScript was invented that lets site owners run a JavaScript in your browser that will mine cryptocurrency such as bitcoin or montero while you are browsing their site. This can consume massive amounts of CPU if you have multiple tabs open and/or leave them open for very long.

Gizmodo did an article about it just a couple days ago:
https://gizmodo.com/how-to-stop-pirate-bay-and-other-sites-from-hijacking-y-1818549856

WELL NOW someone's upped the ante as there's a forum exploit making the rounds that injects this script into the forum templates. I've seen it on four forums so far, three of them running vbulletin and one running SMF... it seems to be a particularly nasty hack too.

Since these forums run Vbulletin it might be a good idea to keep an eye on things. For NOW it seems to be clean, but I'm running around warning people just in case.

AGAIN why I highly suggest running an adblocker like adblock plus, and a script blocker like Ghostery. For now neither recognizes it but I expect that to change quickly. With Adblock plus you can follow the instructions on gizmodo to block it, though frankly I would shorten it to block the whole domain, and not just the one script.

So if you're browsing a website and your CPU use spikes? This could be why. Just keep an eye out. FOR NOW it's not a massive problem, but this could escalate REALLY quickly.
 
Oddly, I've been having serious CPU usage from my bank's website which I've been meaning to investigate. I'll be surprised if that's what's happening, but we'll see.
 
Little update, if you have adblock plus installed it's simpler to block now. Someone's making a subscription list that will automatically add known coin miners. Just go to:

https://adblockplus.org/subscriptions

Scroll down to "nocoin" under miscellaneous, hit "subscribe" and it will plug the values into the filter list, hit add, and you're good to go on blocking all currently know coin mining scripts. The guy who made it says he's going to try to keep that list as up to date as possible so there's a easier way than trying to maintain a custom list yourself.

Malwarebytes has also added a warning pop-up when it detects one of these mining scripts being run and say they're making it a priority.

... and @ClassicHasClass, yeah... that.
 
KC9UDX said:
Oddly, I've been having serious CPU usage from my bank's website which I've been meaning to investigate. I'll be surprised if that's what's happening, but we'll see.
Click to expand...

I've been quiet for a couple months because I just spent time on a contract overseeing bailing a banking group (international company that owns MANY smaller banks) out of their CTO and VP of marketing screwing them over with artsy-fartsy style, no scripting off graceful degradation, and exactly this type of attempts at monetizing their bloody account interface.

Because nothing builds trust when viewing your account balances, setting up auto-payments, and performing direct transfers like third party adverts, six different tracking packages, and hosts of borderline malware scripting.

PARTICULARLY when as a BANK you're pretty much required by laws such as the US ADA, the UK EQA, and so forth to meet things like WCAG minimums. They were slapped with a hefty up-front fine AND a daily fine on top of that.

Then not even a DAY after getting them out of the courts, those same dipshits tried to put their scam artist bull BACK into the bloody system and their trying to stiff me on the bill... so now they've been slapped with ANOTHER set of fines and have me suing them for payment as well. JOY. THANKFULLY during such litigation there's a third party arbitrator who handles "yes, the site meets minimums" who said "yes, he did the job" -- which is why they're just as pissed as I am that NOT EVEN ONE DAY after the final case was dismissed, they undid everything that got them out of trouble.

DERP!!! Never trust a banker.
 
Well my "bank" isn't really a bank. It's a credit union, so the rules are a little different, and so are the employees and just about everything else.

I quit doing the "online banking" schtuff early this year and went back to using paper checks and the USPS. I do use the "bank" site for balance transfers between accounts. But if things get bad I don't really need to do that either, I live about mile from the credit union.

They did recently stop allowing me online access with their Android "app". It detects my rooted device and halts.
 
Yeah, I'm a firm believer in credit unions as well. Granted, it's inconvenient for it to be pretty much necessary to switch financial institutions when moving cross-country, but they're a lot less prone to pulling that kind of shit.

Though not from bad web design in general, sadly. That is a plague near-universal.
 
deathshadow said:
I've been quiet for a couple months because I just spent time on a contract overseeing bailing a banking group (international company that owns MANY smaller banks) out of their CTO and VP of marketing screwing them over with artsy-fartsy style, no scripting off graceful degradation, and exactly this type of attempts at monetizing their bloody account interface.

Because nothing builds trust when viewing your account balances, setting up auto-payments, and performing direct transfers like third party adverts, six different tracking packages, and hosts of borderline malware scripting.

PARTICULARLY when as a BANK you're pretty much required by laws such as the US ADA, the UK EQA, and so forth to meet things like WCAG minimums. They were slapped with a hefty up-front fine AND a daily fine on top of that.

Then not even a DAY after getting them out of the courts, those same dipshits tried to put their scam artist bull BACK into the bloody system and their trying to stiff me on the bill... so now they've been slapped with ANOTHER set of fines and have me suing them for payment as well. JOY. THANKFULLY during such litigation there's a third party arbitrator who handles "yes, the site meets minimums" who said "yes, he did the job" -- which is why they're just as pissed as I am that NOT EVEN ONE DAY after the final case was dismissed, they undid everything that got them out of trouble.

DERP!!! Never trust a banker.
Click to expand...

Any hint about which company? If the lawsuit is ongoing then I understand you not wanting to mention it.
 
You must log in or register to reply here.
Back
Top