Since a few months now, we are confronted with a new phenomenon. Websites that are mining crypto currency using javascript and thus the processor of the person visiting the website.

As usual the vendors of security products quickly jump on this band wagon to sell their goods.

Since it is my job to keep our organisation informed of emerging security threats, I’ve also been trying to determine how much we should worry about this new trend.

To be honest. I’m not really sure…

My first reaction would be to call this, at the very least, electricity theft. The miner is using my CPU and thus my electricity to mine coins I don’t get to profit from. But then, on second thought, don’t ads consume power too? Especially if those ads contain video or animated gifs? How do I benefit from those? By that measure, geocities could be classified as the most elaborate power stealing scheme ever 😉

A typical GeoCities experience…

The recent affair around Facebook and Cambridge Analytica, has prompted me to do some deeper thinking. Given that people who make content available generally want something in return, which is worse, ads or currency mining?

In order to make sure ads are relevant to me and therefore interesting for advertisers to pay for I will be tracked, profiled and data about me is being collected and likely sold. Additionally those ads consume power on my machine and have been known to be a vehicle for malware delivery.

In order to mine currency, my browser will consume a little bit more power than using ads, but there is no need to profile me, or collect or sell my data. Unfortunately the currency miners have developed some bad practices already, including keeping the mining scripts running even after you stop visiting the site and it’s not unthinkable that these mining scripts will at some point contain exploitable vulnerabilities that can be targeted against me.

OCT Metro station Shenzhen China a CC NC SA image by Chris

If the choice was black or white I think I would prefer coin mining over advertising. However, one currently does not exclude the other. Coin mining scripts can be packed into ads and sites using coin miners can still run ads and visa-versa.

Bron: Blog Schuberg Philis