Cryptomining continues and is still a problem as new methods emerge to both evade and ease of mining at the expense of system administrators, website owners, and their visitors.
Hackers are tricking website visitors into stealth crypto mining
This new technique is more of a twist on the old method by disguising a malicious website through the malicious URL shorteners. The difference is not to redirect the unsuspecting visitor to an infected web page or phishing page. Instead, this URL shortener was built by Coinhive for mining cryptocurrencies through the website visitor’s device CPU whenever their browser loads it.
A website could use this as a new way to monetize traffic from their website visitors other than advertisements or requiring something like a paid membership.
Unfortunately, the URL shortener service is also being abused by a new obfuscated sample.
The URL shortener is loaded through an iFrame that is purposely set to a size of 1×1, meaning visually noticing it on a web page will be quite tricky. Furthermore, the usage of the cnhv[.]co shortened URL in an iFrame allows it to be automatically loaded alongside the rest of the web page instead of requiring the visitor to perform an action like clicking on a URL hyperlink, which is the expected use of the service.
Companies and individual people must take certain precautions against this growing phenomenon of crypto mining; they should implement at least a cybersecurity solution, like an antivirus, to protect their systems. Necessary things like regularly updating operating systems, using antivirus for Windows, or antivirus for Mac, depending on which OS your device is using. Companies must also hire professional cybersecurity firms to do regular checkups to their internal network a couple of times per year. These checkups must always include a penetration test and various ethical hacking test.
The URL shortener allows the malicious user to adjust the number of hashes that are needed to be completed by the visitor’s device. This directly impacts how long a device will run crypto mining hashes using your CPU.
The miner script is not being directly loaded from your website but rather through the cnhv[.]co website. It adds what could be viewed as an additional layer of ambiguity which helps it evade detection as some major cybersecurity solutions companies do not have it listed as suspicious yet.
The iFrame pixel is aligned to the far left with the 1×1 size. The size prevents any progress bar that is shown on the examples listed on Coinhive’s website and is done to evade detection by the unsuspecting visitor.
The traditional problem that has impacted URL shorteners from their inception is the use of them by users to disguise malicious URLs. This increases the chance that an unsuspecting visitor will load the shortened URL as it wouldn’t look any different than other legitimately shortened URLs that are being used.
Some helpful online services can resolve this problem by showing the original URL that has been shortened. Unfortunately, these online services do not work with cnhv[.]co shortened URLs.
This means victim’s device could be unknowingly mining cryptocurrencies by visiting a website with a cnhv[.]co iFrame injection.
Researchers have come across this injection on multiple websites and it looks like this number will continue to increase. There are over 100 websites currently indexed containing the same cnhv[.]co shortened URL in URL hexadecimal format.
While this is an exciting concept for alternative forms of website monetization, it, unfortunately, comes at the expense of system administrators, website owners, and their visitors.
Keep in mind that every device is a potential miner that must be protected by at least cybersecurity solution like an antivirus. Depending on which OS your device is running, install an antivirus for Windows, an antivirus for Mac, or antivirus for Android for total protection. Companies must take an extra step and hire a professional cybersecurity firm that will run various cybersecurity tests on your company’s network to implement only the best possible cybersecurity solution. Always opt for a package that includes at least a penetration test and ethical hacking test. For companies that exist 100% online, we recommend the using of cyber-secured web hosting services.