Information Security from the Trenches

In my previous post, we saw that someone is apparently injecting Monero-harvesting code into what appear to be compromised websites. One method was to inject an invisible frame with a page that contained a script calling https://coin-hive.com/lib/coinhive.min.js, which is the Coinhive javascript Monero miner. Another method, present on the same page (presumably in case the browser used didn't support frames) was to directly call a javascript file from a different site. The contents of this javascript file is an array of numbers, followed by a loop. This code extracts ASCII codes from the string of numbers, revealing obfuscated HTML. The result calls the same Coinhive miner, but also another script that appears to create a bunch of ads. I'll run that on a victim machine and post the output later. In the meantime, both methods used the same Coinhive script with the same unique site ID. This ID is to identify what account gets credited with the site owner's share of ...

While looking closer at the Showtime embedded cryptocurrency miner mini-scandal, I wondered how many other pages had Coinhive embedded. After a quick Google search, I found several sites that seemed to have the crytocurrency mining code embedded, apparently without the page owners' knowledge, based on the content of the page. The code was embedded within an invisible iframe (a red flag) and the intermediate site that redirected to Coinhive has a history of malware activity. Interestingly, the frame was not always present, forcing a visit to Google's cache: Presumably compromised site: Injected frame: recaptcha-in.pw source code, in its entirety: We see the call to the Coinhive javascript file (coinhive.min.js). A quick search for the script shows expected results for cryptocurrency mining sites, but also a selection of possibly compromised sites: enrollsa.com/locations eduedgepro.com newmarketcomputerservices.com/slide-page/company/ sugar-packed.com arifpu...