<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1626328370711236&amp;ev=PageView&amp;noscript=1">
banner-blog.jpg

blog

Blog-Hero.jpg

Oh, JavaScript – You Devil!

iStock-495590009 600x300.jpg

I think we’ve blogged a few times now on the risks of JavaScript and the role it plays in browser-based cyber attacks. We’ve recently seen the details of the Pornhub attack, where malicious adverts were used to target users visiting the Pornhub website and served up fake browser updates as another in a very long list of malvertising attacks.

The key point to highlight here is that JavaScript is the technology that enables this to happen. The JavaScript from the compromised ad network is used to redirect a visitor’s browser to a malicious site. In short: Executing JavaScript in your browser is a bad idea.

Innovative website hosters and criminals alike have taken this to a whole new dimension recently, utilising JavaScript for mining of new Monero bitcoins. A relatively new business, Coinhive, has launched a Bitcoin mining technology that enables website hosters to monetise their visitor traffic in a new and very novel way. As more website hosters struggle to make money from serving up ads (mostly because more and more users use ad blockers), they need to find new ways to pay their bills. Enter Coinhive.

Devil.jpg

When a user visits a website using the Coinhive JavaScript miner, their computer CPU is now used (stolen) without consent. In the background, your CPU is now being used fully (i.e. 100%) to mine for new Monero bitcoins, which when found are now paid out to the hoster of the website you visited. Recent websites serving up the Coinhive JavaScript have included The Pirate Bay, CBS and even Cristiano Ronaldo’s website (see below). At least you are ad-free, although your compute power just been taken without your consent.

Ronaldo screencap.jpg

This use of JavaScript is certainly an innovative way of paying the bills for your website, however, it highlights once again that JavaScript can be used in many good and bad ways that we have limited control over. While many legitimate websites can use this as a way to go ad-free, attackers are already placing their Coinhive JavaScript on sites they have compromised to make money.

Sophisticated users can mitigate this risk using browser extensions such as MinerBlock, Noscript (assuming you know which domains to trust and not trust) and Nocoin; these are a few examples that can help to remove this specific risk. But most users won’t likely notice because they don’t look at the page source and examine the JavaScript sources (who does?) and will likely wonder why their machine is running so slow.

The biggest issue remains that all Secure Web Gateways have no way to analyse or block JavaScript today. Going to a website with your browser is all you have to do for this to start. JavaScript code execution represents the biggest risk in your browser today and until we change this design, the attacks and novel ways of stealing compute power will only continue.

Isolation represents a new way for users and businesses to protect their users, information, and now to add to the list, compute power from attackers looking to monetise visitors.

For more information on how web isolation can prevent your computing power from being siphoned off to mine Bitcoins, please review our data sheet.

Please visit the Menlo Security booth #18 at the FS-ISAC EMEA Summit, 30 October – 1 November, at the Etc. Venues County Hall in London.

Tags: javascript, cyber threats, coinhive, cyber attacks, isolation technology

Connect with us

Lists by Topic

see all

Recent Posts

Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.

Remember:

  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.