04 Jan Popular Chrome extension with over 105,000 users found secretly mining cryptocurrency
The year 2017 has been a watershed one for cryptocurrency as its value, interest and acceptance continued to surge in recent months, both for legitimate and nefarious actors. Looking to tap into the growing market, several websites have been caught hijacking users’ computer resources to secretly mine digital currency without their knowledge or permission.
Now, a popular Chrome extension with over 105,000 users has been found running the in-browser cryptocurrency miner Coinhive that covertly hijacks visitors’ CPU processing power to mine Monero.
According to Bleeping Computer, Archive Poster — an extension that allows Tumblr users to reblog or report from other websites — was found running Coinhive with a number of users reporting significant spikes in their CPU usage.
Extension users reported observing the change around the beginning of December and have bombarded the Chrome web store with bad reviews.
“Do not use this extension as it comes loaded with a cryptocurrency mining script. Once installed it makes requests to coinhive which eats up your CPU time and slows your computer down massively. Avoid,” one user wrote.
Essence Labs, the developer behind Archive Poster, confirmed the existence of the cryptominer but said the Chrome extension was hacked.
“An old team member who was responsible for updating the extension had his Google account compromised,” Essence Labs told PCMag. “Somehow the extension was hijacked to another Google account. In the meantime we have alerted the users to use a safe version of the extension on a different link.”
The developer has not provided any details on when or how the hack took place or who was responsible for it.
The discovery comes after numerous websites were found with hidden cryptomining programmes and script embedded, either intentionally or the work of hackers. Over the past few months, The Pirate Bay, Showtime, Starbucks, Politifact and UFC’s website were found running cryptocurrency miners such as Coinhive without users’ express consent.
Security researcher Troy Mursch, who goes by @Bad_packets on Twitter, has been tracking the cryptojacking trend and also reported the cryptojacking malware found in Archive Poster. He recently reported that telecom firm Movistar’s official website was found hosting Coinhive as well.
Besides PCs and websites, hackers have also targeted Android apps and Facebook Messenger to generate cryptocurrency as well.
Security researchers say the surge in browser-based mining is linked to the launch of the easy-to-use Coinhive service and warned that a virtual currency “arms race” is brewing between cybercriminals and defenders.
Coinhive was also targeted by hackers in October who hijacked its server, tweaked its settings and briefly redirected generated cryptocurrency to a third-party server. The company has not disclosed how much revenue was lost in the attack.