fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Coinhive Domain Repurposed To Warn Visitors Of Hacked Sites, Routers

Coinhive Domain Repurposed To Warn Visitors Of Hacked Sites, Routers

After taking over the domains for the notorious Coinhive in-browsing Monero mining service, a researcher is now displaying alerts on hacked websites that are still injecting the mining service’s JavaScript.

CoinHive was an in-browser cryptocurrency mining platform that allowed websites to inject JavaScript code into websites to mine Monero using a visitor’s browser and CPU. Any cryptocurrency mined on the site would then be shared between CoinHive and the website owner, with the owner receiving the larger share.

While Coinhive was used legitimately in a few cases, such as to raise money for charity, the majority of times, it was used to illegally mine cryptocurrency without a user’s permission.

It became so pervasive at its height that it was injected into over 200,000 routersadded to browser extensions, injected into Microsoft Store apps, and even injected on government sites through a JavaScript supply-chain attack.

While a research paper stated that CoinHive was generating $250,000 a month from its service, security companies increasingly began detecting and blocking it, making it less profitable as time went on.

Due to this loss of profitability and increasing difficulty in mining Monero, CoinHive shut down its operation on March 8th, 2019.

Also Read: How To Comply With PDPA: A Checklist For Businesses

Two years later, CoinHive is still injected on sites

In a new blog post released today, Have I Been Pwned’s Troy Hunt revealed that he was given coinhive.com and other related domains for free as long as he would do something useful with them.

“In May 2020, I obtained both the primary coinhive.com domain and a few other ancillary ones related to the service, for example cnhv.co which was used for their link shortener (which also caused browsers to mine Monero).”

“I’m not sure how much the person who made these available to me wants to share so the only thing I’ll say for now is that they were provided to me for free to do something useful with,” Hunt explains in a blog post published today.

As these domains are hosted behind Cloudflare, Hunt has utilized their built-in analytics to see that a tremendous amount of visitors still attempt to load JavaScript from the CoinHive domains.

Coinhive traffic volumes
Coinhive traffic volumes
Source: TroyHunt.com

The top five countries pushing traffic to the CoinHive domains are China, Russia, United States, Georgia, and Vietnam.

Geograph Coinhive-related traffic
Geograph Coinhive-related traffic
Source: TroyHunt.com

From the analysis of the sites referring traffic to the Coinhive domains, Hunt stated that CoinHive scripts are still injected mostly from China and Russia websites.

It is also believed that a lot of this traffic could be caused by compromised MikroTik routers that continue to inject CoinHive scripts when users visit websites.

Putting the domains to good use

When Hunt originally received the domains, he was asked to put them to good use.

Today, Hunt revealed that he is now redirecting the coinhive.com domain to his new blog post about Coinhive at TroyHunt.com.

When people visit sites with injected Coinhive scripts, he pushes out his own JavaScript code that displays a modal dialog stating, “This web site attempted to run a cryptominer in your browser.”

The alert is a link where users can click to learn more about the CoinHive injected on the website, as shown below.

Also Read: In Case You Didn’t Know, ISO 27001 Requires Penetration Testing

A website using displaying alert from Troy Hunt
A website using displaying alert from Troy Hunt
Source: TroyHunt.com

While Hunt uses the Coinhive domains for good purposes, such as warning a site’s visitors of the injected scripts, his use of the Coinhive domains illustrates how bad actors could use abandoned domains to inject scripts into unsuspecting visitor’s browsers.

“Oh – and while we’re here let’s just let that sink in for a moment: I can now run whatever JavaScript I want on a huge number of websites.”

“So, what could I do with JavaScript? I could change where forms post to, add a key logger, modify the DOM, make external requests, redirect to a malicious file and all sorts of other very nasty things.”

“That’s the power you hand over when you embed someone else’s JS in your own site and that’s precisely why we have subresource integrity,” warns Hunt.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us