Problems? See this thread at archive.org.)
https://www.howtogeek.com/334018/how-to-block-cryptocurrency-miners-in-your-web-browser/
Option: Install the “No Coin” Browser Extension
John.
-
-
I've started using ScriptSafe v1.0.9.3 instead of NoScript, and ScriptSafe is supposed to catch and block the coin miner's already, but for fun I loaded MinerBlock 1.1.4 to see if it catches anything
And, I still use ublock Origin and Privacy Badger. Training ScriptSafe is easier(?) than NoScript, at least I like the ScriptSafe interface better.
There are two new extensions I haven't had a chance to play with much, uBlock Origin Extra - just loaded it - only applies to certain sites, and uMatrix a next generation NoScript/ScriptSafe, which I haven't tried yet.
How to stop sites from ‘borrowing’ your CPU to mine cryptocurrency
https://thenextweb.com/apps/2017/09/19/cpu-cryptocurrency-miner-blocker/Last edited: Jan 26, 2018 -
![[IMG]](images/storyImages/a0VGJ2j.jpg)
John.Raiderman, slimmolG, saturnotaku and 1 other person like this. -
scriptsafe only seems to include these coin mining domains in their filters:
coinhive.com
coin-hive.com
coinhive.com
coin-hive.com
*.coinhive.com
*.coin-hive.com
jsecoin.com
*.jsecoin.com
server.jsecoin.com
*.server.jsecoin.com
load.jsecoin.com
*.load.jsecoin.com
There may be more included, but these are the ones I got a warning from the app when I tried to add them to the user blacklist:
Some Domains Not Imported
The following domains were not imported as they are invalid (the others were successfully imported):
- coinhive.com (provider of unwanted content (see "Block Unwanted Content" and/or "Antisocial Mode")
- coin-hive.com (provider of unwanted content (see "Block Unwanted Content" and/or "Antisocial Mode")
- coinhive.com (provider of unwanted content (see "Block Unwanted Content" and/or "Antisocial Mode")
- coin-hive.com (provider of unwanted content (see "Block Unwanted Content" and/or "Antisocial Mode")
- *.coinhive.com (provider of unwanted content (see "Block Unwanted Content" and/or "Antisocial Mode")
- *.coin-hive.com (provider of unwanted content (see "Block Unwanted Content" and/or "Antisocial Mode")
- jsecoin.com (provider of unwanted content (see "Block Unwanted Content" and/or "Antisocial Mode")
- *.jsecoin.com (provider of unwanted content (see "Block Unwanted Content" and/or "Antisocial Mode")
- server.jsecoin.com (provider of unwanted content (see "Block Unwanted Content" and/or "Antisocial Mode")
- *.server.jsecoin.com (provider of unwanted content (see "Block Unwanted Content" and/or "Antisocial Mode")
- load.jsecoin.com (provider of unwanted content (see "Block Unwanted Content" and/or "Antisocial Mode")
- *.load.jsecoin.com (provider of unwanted content (see "Block Unwanted Content" and/or "Antisocial Mode")
static.reasedoper.pw
mataharirama.xyz
listat.biz
lmodr.biz
minecrunch.co
minemytraffic.com
crypto-loot.com
*.crypto-loot.com
*.2giga.link
ppoi.org
*.ppoi.org
coinerra.com
coin-have.com
kisshentai.net
miner.pr0gramm.com
kiwifarms.net
anime.reactor.cc
joyreactor.cc
kissdoujin.com
ppoi.org
minero.pw
coinnebula.com
*.coinnebula.com
*.afminer.com
*.coinblind.com
webmine.cz
monerominer.rocks
cdn.cloudcoins.co
coinlab.biz
papoto.com
cookiescript.info
*.cookiescript.info
cookiescriptcdn.pro
rocks.io
*.rocks.io
ad-miner.com
*.ad-miner.com
party-nngvitbizn.now.sh
cryptoloot.pro
*.host.d-ns.ga
*.host.d-ns.ga
*.host.d-ns.ga
baiduccdn1.com
jsccnn.com
jscdndel.com
mine.nahnoji.cz
*.goredirect.party
miner.pr0gramm.com
miner.cryptobara.com
digger.cryptobara.com
kickass.cd
*.morningdigit.com
And... another 3600 domains to block from coin-hive block:
https://github.com/Marfjeh/coinhive-block/blob/master/domains
If anyone has any additional domains to be blocked to avoid getting hit by browser mining please post them.
Last edited: Jan 26, 2018Dr. AMK likes this. -
-
Say no to extensions bro...
Here is my Ad Block Plus filters list...
![[IMG]](images/storyImages/ffff.png)
Where to add them from?
1) https://adblockplus.org/en/features#malware (to disable Tracking and Malware Domains)
2) https://facebook.adblockplus.me/en/ (to disable Facebook Ads and nuisances)
3) https://adblockplus.org/en/subscriptions (go there then use CTRL + F and type coin to find the No Coin Filter)
Be Smart....be like Phoenix...
![[IMG]](images/storyImages/tlmRgDI.gif)
-
-
The SafeScript app has "Privacy" blocking as well as lists, and enabling "Anti Social Mode" gets rid of all the "fluff" like Facebook, Twitter, etc etc etc etc.
Antisocial Mode: (Default: disabled; always remove social widgets/buttons, even if whitelisted)
For more comprehensive blocking, check out Privacy Badger, Disconnect, Blur, and/or uBlock Origin with all of the subscription lists on the Fanboy site)
And, that brings up how to block social stuff using uBlock Origin - use the Fanboy site lists.
Script Safe has a few settings pages, but in essence I enabled all the blocking available, and start by "Allow"ing new sites + Allow servers in that domain (1 at a time as they appear) + Clipboard + img / vid / functional as required for the site to work, and I am blocking a lot more stuff than before.
I also have Adblocker for Youtube (Chrome), catches stuff on YT best, and also blocked FB (until SafeScript took over FB / social widget blocking):
Adblock Plus is great, used it for a looong time, but uBlock and then uBlock Origin (original author) seems more efficient + it's easier to manage (barely, but better with log), ScriptSafe is way better to manage than NoScript and I am catching / blocking a lot more stuff with minimal tuning.
This site has the Fanboy lists Complete, broken up individual lists + Fanboy's Social Blocking List:
https://filterlists.com/Last edited: Jan 26, 2018Dr. AMK likes this. -
Now even YouTube serves ads with CPU-draining cryptocurrency miners
Ad campaign lets attackers profit while unwitting users watch videos.
DAN GOODIN - 1/26/2018, 11:27 AM
https://arstechnica.com/information...-ads-with-cpu-draining-cryptocurrency-miners/
"YouTube was recently caught displaying ads that covertly leach off visitors' CPUs and electricity to generate digital currency on behalf of anonymous attackers, it was widely reported.
Word of the abusive ads started no later than Tuesday, as people took to social media sites to complain their antivirus programs were detecting cryptocurrency mining code when they visited YouTube.
The warnings came even when people changed the browser they were using, and the warnings seemed to be limited to times when users were on YouTube.
Great now my browser everytime I watch youtube... my anti virus always blocking coinhive because malware . Idk much about it but this is getting annoying and I need a solution please T n T
— Arung (@ArungLaksmana) January 23, 2018
Hey @avast_antivirus seems that you are blocking crypto miners ( #coinhive) in @YouTube #ads
Thank you
https://t.co/p2JjwnQyxz
— Diego Betto (@diegobetto) January 25, 2018
Por lo visto @YouTube es muy gracioso y no le bastaba con bajarnos la audiencia, ahora van y nos meten el JavaScript de Coinhive para utilizar nuestros dispositivos para minar Monero! De verdad, @Google! Que leeches estáis haciendo con YouTube?? pic.twitter.com/NzMUMlArJs
— Ervo (@Mystic_Ervo) January 24, 2018
On Friday, researchers with antivirus provider Trend Micro said the ads helped drive a more than three-fold spike in Web miner detections. They said the attackers behind the ads were abusing Google's DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain.
The ads contain JavaScript that mines the digital coin known as Monero. In nine out of 10 cases, the ads will use publicly available JavaScript provided by Coinhive, a cryptocurrency-mining service that's controversial because it allows subscribers to profit by surreptitiously using other people's computers. The remaining 10 percent of the time, the YouTube ads use private mining JavaScript that saves the attackers the 30 percent cut Coinhive takes. Both scripts are programmed to consume 80 percent of a visitor's CPU, leaving just barely enough resources for it to function.
"YouTube was likely targeted because users are typically on the site for an extended period of time," independent security researcher Troy Mursch told Ars. "This is a prime target for cryptojacking malware, because the longer the users are mining for cryptocurrency the more money is made." Mursch said a campaign from September that used the Showtime website to deliver cryptocurrency-mining ads is another example of attackers targeting a video site.
To add insult to injury, the malicious JavaScript in at least some cases was accompanied by graphics that displayed ads for fake AV programs, which scam people out of money and often install malware when they are run.
The above ad was posted on Tuesday. Like the ads analyzed by Trend Micro and posted on social media, it mined Monero coins on behalf of someone with the Coinhive site key of "h7axC8ytzLJhIxxvIHMeC0Iw0SPoDwCK." It's not possible to know how many coins the user has generated so far. Trend Micro said the campaign started January 18. In an e-mail sent as this post was going live, a Google representative wrote:
Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.
It wasn't clear what the representative meant when saying the ads were blocked in less than two hours. Evidence supplied by Trend Micro and on social media showed various ads containing substantially the same JavaScript ran for as long as a week. The representative didn't respond to follow-up questions seeking a timeline of when the abusive ads started and ended.
As the problem of Web-based cryptomining has surged to almost epidemic proportions, a variety of AV programs have started warning of cryptocurrency-mining scripts hosted on websites and giving users the option of blocking the activity. While drive-by cryptocurrency mining is an abuse that drains visitors' electricity and computing resources, there's no indication that it installs ransomware or other types of malware, as long as people don't click on malicious downloads.
This post was updated to add comment from Google."
Cryptojacking craze that drains your CPU now done by 2,500 sites
Android apps with millions of Google Play downloads also crash the party.
DAN GOODIN - 11/8/2017, 10:45 AM
https://arstechnica.com/information...s-cpus-picks-up-steam-with-aid-of-2500-sites/
Enlarge / A music streaming site that participated in Coinhive crypto mining maxes out the visitor's CPU.
"A researcher has documented almost 2,500 sites that are actively running cryptocurrency mining code in the browsers of unsuspecting visitors, a finding that suggests the unethical and possibly illegal practice has only picked up steam since it came to light a few weeks ago.
Willem de Groot, an independent security researcher who reported the findings Tuesday, told Ars that he believes all of the 2,496 sites he tracked are running out-of-date software with known security vulnerabilities that have been exploited to give attackers control. Attackers, he said, then used their access to add code that surreptitiously harnesses the CPUs and electricity of visitors to generate the digital currency known as Monero. About 80 percent of those sites, he added, also contain other types of malware that can steal visitors' payment card details.
"Apparently, cyberthieves are squeezing every penny out of their confiscated assets," he said.
One of the affected sites is shop.subaru.com.au. When I visited the site on Tuesday, the fan on my MacBook Pro, which I hadn't heard in months, soon started whirring. The activity monitor showed that about 95 percent of the CPU load was being consumed.
As soon as I closed the site, the load dropped to about 9 percent. Besides putting a noticeable strain on my computer, the site also draws additional electricity from my office. The arrangement allows the attackers to reap the benefit of my hardware and electricity without providing anything to me in return. A recent report from security firm Trustwave's SpiderLabs estimated that the electricity cost for a single computer could range from about $2.90 to $5 per month, presumably if the cryptomining page was left open and running continuously over that time. The figure doesn't include the wear and tear on hardware as it performs complex mathematical problems required to generate the digital coins.
![[IMG]](images/storyImages/activity-monitor.png)
Activity monitor showing CPU load when visiting http://shop.subaru.com.au.
Thanks, Coinhive
The site that makes all of this possible is Coinhive.com, which Ars covered last week. It offers an easy-to-use programming interface that any website can use to turn visitors' computers into vehicles for generating—or in the parlance of cryptocurrency people, mining—Monero. Coinhive gives participating sites a tiny cut of the proceeds and pockets the rest. Coinhive doesn't require that sites provide any notice to users.
de Groot said that about 85 percent of the 2,496 sites he tracked are generating currency on behalf of just two Coinhive accounts. Depending on the total number of visitors, the amount of time they stay on an affected site, and the power of their computers, the revenue collected by those accounts could be considerable, as would be the total amount of additional charges those accounts made to visitors' electric bills.
The remaining 15 percent were spread over additional Coinhive accounts, but de Groot has evidence suggesting those accounts are controlled by a single individual or group. Most of the affected sites concealed the connection to Coinhive by adding a link to the domain siteverification.online or one masquerading as a Sucuri firewall. Those disguised sites, in turn, hosted the crypto-mining JavaScript that interacted with Coinhive.
de Groot's findings suggest that drive-by cryptomining has grown more widespread in the week since Ars first covered it or at least that the phenomenon shows no signs of abating. The earlier Ars article cited research from security firm Sucuri that found 500 sites running hacked versions of the WordPress content management system that were participating in the Coinhive mining. Ars also reported that two Android apps with as many as 50,000 downloads from Google Play had recently been caught putting cryptominers inside hidden browser windows. On Wednesday, researchers from Ixia reported finding two additional such apps with as many as 15 million downloadscombined. (In fairness, one of the apps informed users it would use their phone's idle time to generate coins and provided a way for that default setting to be turned off. The apps have since been modified to curtail the practice.)
There are other indications that the in-browser cryptomining racket is getting worse. In a report published Tuesday, endpoint security provider Malwarebytes said that on average it performs about 8 million blocks per day to unauthorized mining pages.
People who want to avoid these cryptojacking scams can use Malwarebytes or another antivirus program that blocks abusive pages, install this Chrome extension, or update their computer host file to block coinhive.com and other sites known to facilitate unauthorized mining. As the phenomenon continues to grow and attract copycat services, blocklists will likely have to be updated, requiring regular updates to blocklists as well.
YouTube Ads Infected by Cryptocurrency Malware
by PAUL WAGENSEIL Jan 29, 2018, 8:58 AM
https://www.tomsguide.com/us/youtube-mining-malware,news-26530.htmlLast edited: Jan 30, 2018Vasudev, inm8#2, Dr. AMK and 1 other person like this. -
Turns out, the malvertising that has miner code as payload is delivered through Google AdSense, among others, and has become automated to the point where Google is getting behind in catching them. That's why we are getting hit with coin mining now in Youtube, but it's happening anywhere that uses Google Adsense and other ad aggregators...
Crooks Created 28 Fake Ad Agencies to Disguise Massive Malvertising Campaign
By Catalin Cimpanu, January 26, 2018 12:10 PM
https://www.bleepingcomputer.com/ne...es-to-disguise-massive-malvertising-campaign/
"A group of cyber-criminals created 28 fake ad agencies and bought over 1 billion ad views in 2017, which they used to deliver malicious ads that redirected unsuspecting users to tech support scams or sneaky pages peddling malware-laden software updates or software installers.
The entire operation —codenamed Zirconium— appears to have started in February 2017, when the group started creating the fake ad agencies which later bought ad views from larger ad platforms.
These fake ad agencies each had individual websites and even LinkedIn profiles for their fake CEOs. Their sole purpose was to interface with larger advertising platforms, appearing as legitimate businesses.
How the operation worked
The image below describes how the group operated. The fake ad agencies would buy ads displayed on legitimate sites via these ad platforms.
These ads would allow the Zirconium group to run JavaScript code that executed a "forced redirect," effectively hijacking visitors off the original site to an intermediary domain. This intermediary domain would fingerprint and classify incoming traffic, then redirect the user to another domain, also operated by Zirconium.
Crooks would use this third domain as an affiliate traffic jump-off point, allowing others to buy the traffic they hijacked from legitimate sites.
In many cases, users were redirected to pages offering fake (malware-laced) Flash updates, websites offering (malware-infested) software installers, tech support scams, or other scareware pages.
Ad security company Confiant, the one who discovered this entire operation, says ads bought by this group reached 62% of ad-monetized websites on a weekly basis.
All in all, Confiant believes that about 2.5 million users who've encountered Zirconium's malicious ads were redirected to a malicious site, with 95% of the victims being based in the US.
Eight fake ad agencies still dormant
The entire operation flew under the radar for most of the time but became harder to ignore as it grew and researchers started to detect more and more aggressive user fingerprinting scripts.
Dangu says the group exclusively targeted desktop browsers, ignoring mobile traffic. The user's operating system did not count, the group going after Windows, Linux, Mac, or ChromeOS users alike.
The Confiant CTO also says Zirconium used only 20 of its 28 fake ad agency identities for this operation, and eight remained dormant earlier this week when Confiant published its Zirconium exposé.
Malvertising crews using fake ad companies may be a new concept for the casual infosec-passionate reader, but conversations this Bleeping Computer reporter had with industry experts last year revealed that most experts knew this was happening, but they hadn't managed to get all the details together to expose this growing trend.
Besides blowing the lid on this new tactic, Dangu also pointed out another interesting fact; that this malvertising campaign was nothing like previous operations, which mostly sent traffic to exploit kits.
Dangu believes that improved browser security features now make most exploit kits ineffective. In addition, the decision from most browser makers to change Flash into a disabled state or click-to-run policy have also contributed to the demise of classic malvertising+exploit kit campaigns.
Chrome 64, released earlier this week, blocks the forced redirect technique (also known as tab-under) used by the Zirconium group."
How to Block Cryptocurrency Miners in Your Web Browser
Discussion in 'Security and Anti-Virus Software' started by Tinderbox (UK), Nov 28, 2017.
