[Investigation] Business Owners Do Not Care about Mining Malware Until They Find It on Their Websites

Before we get straight to the point, let's refresh your memory just a bit.

Bitcoin mining is an energy-consuming process of introducing new bitcoins. You know that, right?

Anyone with the appropriate hardware and an Internet connection can participate in mining, and, in many cases, bitcoin mining is legal.

This is what mining farms look like. (Source: pixabay.com)

For example, in most of Western Europe, in countries such as Germany and the UK, cryptocurrencies have the status of "private money," so they are legal, but local laws may provide specific protections.

Despite this, there are people who use illegal methods for crypto mining. They may use malicious viruses to hijack users’ computers and then make their processors mine bitcoins. This can slow down computers while running up energy bills.

In particular, intruders may “infect” a corporate website with malware, which its owners may not even be aware of. For instance, hackers often infect e-commerce websites, as they regularly receive a lot of traffic.

We asked the owners of several online businesses whether they took any measures to protect their sites from mining software. In this article, we will share their opinion.

We also conducted an investigation with the help of Webspotter to look at the situation with miners and corporative sites from the inside, checking which of them may be infected.

Then, we contacted the owners of these sites and informed them that their websites might have been hacked. We will tell you about what happened next.

How Hackers Earn Money Using Corporate Websites

One of the most popular mining programs is a tool called Coinhive.

Coinhive is a digital service that provides cryptocurrency miners (crypto mining programs) that can be installed on websites that use JavaScript.

According to statistics from Germany’s RWTH Aachen University, Coinhive generates approximately $24,000 a week.

The JavaScript miner runs in the browsers of website visitors and mines coins on the Monero blockchain.

Monero differs from Bitcoin in that its transactions leave no traces, and there is no way for a third party to track Monero transactions between two members. Thus, Monero is a very appealing choice for hackers.

Initially, Coinhive was meant to be an alternative payment method for website visitors: visitors get free content and in return they allow site owners to mine coins and earn some money.

But today, Coinhive is often being used by hackers as malware to hijack website visitors and illegally enrich themselves.

How Business Owners Perceive Coinhive and Its Possible Risks

Actually, many business owners don’t take the dangers of mining programs seriously so they don’t check their sites for malware.

Since E-commerce sites are often attacked and their owners may be familiar with miners, we decided to post the following question in dozens of E-commerce-related Facebook communities:

“Do any E-commerce owners here check their websites against Bitcoin mining malware (ex. Coinhive)?”

Here are some of the negative responses we received:
  • “Pretty sure that this is both managed and beyond store owner control.”
  • “I bet your hosting company would flag it if they found it.”
  • “I am building my first site now, so I have no experience with this problem.”
  • “We don't manage our own servers if that's what you mean :)”

Some people have never even heard of Coinhive.

On the other hand, some website owners strive to secure their sites and spend time and resources to avoid mining software.

Here are their opinions:
  • “Yeah started doing that a few years ago if you are only starting now its good that you are catching up.”
  • “I have my websites scanned for malware daily by WordFence.”
  • “I use Wordfence, Sucuri, and Shield for extra price of mind.”
  • “Constantly checking. We're more of an agency although we don't identify as a typical advertising group. We have a web application firewall and real-time scans of traffic to look for anything suspicious and we do also do "outside" scans to see what the world sees which looks for any client-side JavaScript that might be mining (or anything else malicious).”

Some respondents seriously care about their websites’ security.

As we see from the survey results, about half of the community do not seem to care about the risks of miners.

But what if some of the site owners found out that their site was already infected?

We decided to find some existing infected sites and contact their owners.

How We Tracked the Infected Websites

To track Coinhive, we used Webspotter, a tool that permits the analysis of sites to learn about the technologies they use.

In addition to popular technologies such as Magento and WordPress, Webspotter allows users to track down malicious and mining software.

So, first, we found all the sites that use Coinhive.

The number of sites using Coinhive has decreased slightly. At the time we gathered the data, it was 7,850.

Then we loaded a list of all the sites into Excel and analyzed them using the Ahrefs batch analysis feature. This step was necessary so that we could select reputable websites and rid our list of overly poor or malicious sites.

We uploaded data in packs, each of which consisted of 200 websites. We sorted them by Domain Rank and chose only those sites whose Domain Rank equaled at least 50.

After that, we collected several hundred sites that passed the test in the Excel file. Then we opened each site and looked to see if it was both a corporate site and active (many sites just didn’t open).

After that, we selected some working sites and sent emails accompanied with Linkedin and Facebook messages to their owners.

How the Owners of the Infected Sites Reacted

We contacted 20 business owners and informed them that their sites might have been hacked.

We dropped such emails to site owners with Coinhive installed.

Then we duplicated our messages into Facebook corporate pages of those companies.

Also, we send messages to site owners personally via LinkedIn.

What were the results?

At the time of this writing, a week after messages have been sent, none of the recipients responded.

After a few days, we checked all these sites for malware again. We were surprised: half of the sites whose owners received our emails just got rid of Coinhive silently.

What You As a Website Owner Can Do to Avoid Mining Malware

You can check your website using programs like uBlock, which may detect miners.

For example, using uBlock, you just need to open the network request log and look through it.

If a site is infected with Coinhive, you may find it mentioned in the logs.

Of course, it's up to you to decide. But it won’t hurt to regularly monitor your site for miners since the safety of your business is at stake.