Security Bulletin: CoinHive Malware Exploit

There’s a chance you might have heard of CoinHive: the cryptocurrency mining software that runs in-browser, letting websites do double duty by harnessing the processing power of visitors’ computers. With the CoinHive script incorporated sites don’t just act as a portal for customers, they also mine Monero: a cryptocurrency. CoinHive advocates say this revenue stream could replace some advertising revenue on sites, making for a more streamlined user experience.

Unfortunately, CoinHive has recently been used as a vector for infection for malware, putting both the sites it works through and the users browsing them at risk.

Hackers were able to use log in credentials leaked from Kickstarter in early 2014 to access CoinHive’s Cloudflare account. From there they could alter settings to replace the version of CoinHive running in innocent browser windows with an unauthorised copy that redirected all the coins mined to a single, criminal user.

This means neither the businesses nor CoinHive were benefiting from the mined currency, and users had software they had not consented to operating on their machines. Browser based coin mining is supposed to be a low intensity, background process but there is no guarantee illicit miners will maintain this: higher intensity mining can affect your computer’s performance, and even damage your hardware if it’s not specifically set up for the complex calculations required.

CoinHive is assuring its users that the security loophole is now closed, and it will be recompensing affected sites for their lost mining time, but this highlights a security issue that’s applicable to everyone.

As well as targeting CoinHive centrally, hackers needed access to individual websites to add the new, corrupted script which is why it’s important for people at every level to maintain good security: not just big service hubs but individual webmasters need to keep their borders secure to prevent bad actors using your information and resources for illicit ends.

To avoid hackers getting access to your accounts, make sure you don’t duplicate your passwords: CoinHive had its software subverted because a three-year-old password on Kickstarter was identical to a contemporary one for an entirely different service.

Make sure you have different passwords for the different accounts: don’t secure your email with the same code as your bank account. If you share passwords between accounts, hackers only have to break the security on your least secure account to get access to everything.

If you need to keep track of a lots of different log ins (and in 2017, who doesn’t?) look into Password Management software, which can help make sure you don’t get locked out of anything, and lets you make even more complicated passwords, avoiding dictionary words and including more punctuation and numerals to make them even harder to hack.