Hackers covertly hide code on Politifact to hijack your PC, secretly mine cryptocurrencies
Cable giant Showtime was recently discovered to have been running code to mine cryptocurrencies as well.
Hackers have targeted popular fact-checking website Politifact by secretly inserting code for cryptomining software to hijack visitors' computers and mine digital currencies. Security researcher Troy Mursch discovered the issue when he noticed that visiting the website caused significant spikes in his CPU usage.
Reddit users also reported experiencing similar issues. The Register reported that the Javascript on Politifact's website included a chunk of CoinHive miner code amid the regular scripts that allowed multiple versions of CoinHive to run simultaneously, which slowed down visitors' CPUs and generated Monero.
CoinHive has been used by some websites to generate digital currencies as an alternative to advertising. Experts have reported that the miner can be blocked via browser settings, script blocker add-ons or ad blockers.
Cable giant Showtime was recently discovered to have been running code to mine cryptocurrency as well, which has since been deleted. Piracy site the Pirate Bay has also been using CoinHive as a new way to generate revenue and possibly eventually do away with ads on a permanent basis.
Politifact told The Register that it was not aware of the mining software and is investigating the issue. Security expert Brian Krebs, who also confirmed the issue via Twitter, said the mining code has now been removed from the site.
According to popular ad blocker AdGuard, 220 sites with an aggregated audience of 500 million people were found to be running CoinHive code or another Javascript-based cryptocurrency miner. The list of these sites primarily consisted of porn sites and torrent trackers.
"220 sites may not seem like a lot. But CoinHive was launched less than one month ago, on the 14th of September," AdGuard said. "The problem with in-browser mining is not that it's a bad thing by itself. There are no good and bad tools and technologies, but there are good and bad ways to use them."
The ad blocker firm said a website seeking to generate revenue via mining should ethically obtain user permission and allow them the option of opting out.
"Actually, such a practice could make mining even more ethical than ads. After all, nobody asks us if we would like to see ads on a website," AdGuard said. "Mining parasitises the user's CPU, where ads parasitise the user's attention, emotions, bandwidth, and often, their laptop or smartphone battery, and supports an industry of personal data harvesting that is a big headache in itself.
"The CoinHive team has issued a statement calling on website operators to inform their users about the mining operations and to ask for user permission to do this. However, we believe that it is very hard for them to force this recommendation into action; for example, they cannot forbid stealth mining."