Cryptomining Browser extensions - A malicious Open Source resource leech? Or another way to monetize off the internet?

in #teammalaysia7 years ago (edited)

open-pit-mining-261092_960_720.jpg

https://arstechnica.com/gadgets/2018/04/google-bans-cryptomining-chrome-extensions-because-they-refuse-to-play-by-the-rules/

This article piqued my interest since the Chrome browsers are somewhat the favorite of many users out there (including myself). This led me to start writing about this subject and have broken it down to various topics. Made references to several articles (some new, some old but relevant) which became the basis of the content on this space.

Open Source code

The premise is all too familiar. Google broke into the open source code/development space approx 13 years ago with Google Code. Over time, the community as a whole moved towards Github which was a website that was bootstrapped by a startup based in San Francisco that shares the same name.

Quite a number of people favored the democratized approach to software development that was offered by Github as opposed to the presumed need for control that Google had. Now, pretty much everyone hosts their open source projects on GitHub, including Google, Facebook, Twitter, and even Microsoft—once the bete noire of open source software.

Creativity blooms where there's no restraint...Rules and open source have always been two concepts that clash which is arguably what makes it such an interesting space. Throw in decentralized currency/or several into the mix, which would make things even more interesting.

Cryptocurrency mining via browsers

Ever since cryptocurrencies made its' debut, there has been numerous methods and software/hardware developments that have taken place with a goal to mine digital currencies(eg: ASIC, GPU Based Mining etc).
The one in question are mining browser extensions. Most of these extensions originated as open source projects
that eventually saw the light of day in the Chrome Web Store.

This started off as a premise of using untapped resources to create an alternative revenue stream for games or media sites, with the hope of reducing the need to rely on ads. It generally works by embedding a JavaScript component in a website that can leverage a visiting device's processing power to mine a cryptocurrency (usually Monero). Each visitor might only do a tiny bit of mining while they're there, but every user lending some hash power over time can generate real money. And users might not even notice what's happening. In theory, it can be a win-win. In reality, not as much.

Some of these extensions were knowingly/deliberately installed by the users with the intention of earning, testing or sometimes just out of pure curiosity. However, there has yet to be a stable version which would not significantly affect one's PC CPU/GPU performance to the point of noticeable degradation. Of course, one simply can just choose to uninstall such extensions and move on with life.

Cryptojacking

As cryptojacking has spread around the web—largely due to the original "in-browser miner," Coinhive, and its copycats have generally not lived up to those lofty goals.

What about the instances that end up on your PC unintentionally/unknowingly? What if you are a victim of Cryptojacking?
Don't panic!

Just head over to https://cryptojackingtest.com/.. With a single mouse click, you should be able to run a test to see if your browser has been compromised. This site is run by Opera (the first Browser company to implement anti-cryptojacking as a native function). However, do note that this test is primarily based on Coinhive and may not cover the entire spectrum of possibilities.

Browser Extensions

Most incidents occur on the Chrome browser and for as preventative measures you can opt for the following options:

i.) NoCoin Cryptojacking Blocker extension - https://github.com/keraf/NoCoin,

ii.) Minerblock - https://chrome.google.com/webstore/detail/minerblock/emikbbbebcdfohonlaifafnoanocnebl.

*Most Antivirus providers have solutions in place for these scenarios.

The following steps are best practices as well.

1.) Use a browser extension that protects against JavaScript mining scripts.
2.) Opt for the Opera browser with ad-blocking enabled. (Just a suggestion)
3.) Use a security software that protects against mining scripts.
4.) Install an anti-mining browser extension.
5.) Disable JavaScript on untrusted sites.

Script Blockers

The blockers focus on mining scripts. There are other excellent script blockers available for Chrome and other browsers.
uBlock Origin has an excellent array of script blocking lists.

Mozilla users might try NoScript.

As we have seen, cryptojacking isn’t an enormous problem — yet. But as more sites realize it is a potentially lucrative revenue stream there may
well be an uptick.

If you would like to delve a little deeper in this topic, you can head over to the article posted below.
https://www.csoonline.com/article/3253572/internet/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html

Javascript

Lots of fingers have been pointed at Javascript as being the core component in most of these cases..Do note that one doesn't necessarily require to install an extension to mine to allow cryptojacking to take place. All it takes is for one to just download a webpage in order for the scripts to run. A stream of high profile sites has fallen victim to being injected with mining javascript from coinhive.com. CBS’s showtime.com and cristianoronaldo.com are probably the two most notable cases to date.

The following website should give some further insight on this topic.

https://hackerbits.com/programming/cryptojacking-javascript/

The following page has a compilation of vulnerabilities specific to Javascript that could come in handy.

https://github.com/tunz/js-vuln-db

Conclusion

All is well if you are comfortable with the utilization of your PC resources for browser mining. However, should you be affected by this, then I hope that this post would help you out. Personally feel that this is a space which could overtake traditional online advertising.

What is your take on this?
Feel free to comment and provide input on this topic.

Credits

https://www.wired.com/story/cryptojacking-has-gotten-out-of-control/

https://www.wired.com/2015/03/github-conquered-google-microsoft-everyone-else/

https://arstechnica.com/information-technology/2017/11/sneakier-more-persistent-drive-by-cryptomining-comes-to-a-browser-near-you/

https://hackerbits.com/programming/what-is-cryptojacking/

#teammalaysia #blockchain #cryptocurrency #security #mining #bitcoin #monero

Till the next post..
RPM

Sort:  

Thanks for pointing out the potential pitfalls @raveen_p. In your experience, how much can one earn in a month if they particpate in browser mining?

@buzz.lightyear not a lot.. A single PC mining at 23 H/s you're going to end up with .07 XMR per year, or about $2.30/month.. This is data/price from approximately 3 months ago.

Coin Marketplace

STEEM 0.25
TRX 0.20
JST 0.036
BTC 96147.07
ETH 3525.13
USDT 1.00
SBD 3.45