It has been a while since cryptojacking made media headlines. This nefarious activity allows criminals to exploit website visitors’ computing resources to mine cryptocurrencies without consent. A new report by Troy Mursch suggests Coinhive’s code is active on close to 400 websites. In most cases, this code was injected by criminals, rather than by the site owners.

Cryptojacking Remains a big Problem

Anyone who has paid attention to developments in the cryptocurrency industry this past year will have come across the term cryptojacking. Originally referred to as “in-browser mining”, the concept has quickly become a favorite tool among criminals. By injecting mining code into popular websites, criminals can passively earn cryptocurrency revenue by hijacking the computing resources of anyone visiting the infected website.

While there are legitimate use cases for this activity, they are apparently dwarfed by malicious projects. Researcher Troy Mursch recently unveiled a new report documenting the cryptojacking trend. It paints a very troublesome picture, as the Coinhive in-browser mining code is used on almost 400 major websites without user consent. This list includes the San Diego Zoo, Lenovo, and quite a few other popular sites. Unsurprisingly, it also includes websites related to the US government.

Although these findings do not come as a real surprise, they point to a big problem which will need to be addressed. Since so many sites host the Coinhive mining script without even knowing it, they all seemingly suffer from lackluster website security in general. It takes a bit of effort for criminals to exploit existing websites and inject code to mine cryptocurrencies specifically. Why these particular sites were vulnerable in the first place remains unknown.

The report described an attack using an outdated version of Drupal as follows:

Digging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method. The malicious code was contained in the “/misc/jquery.once.js?v=1.2” JavaScript library. Soon thereafter, I was notified of additional compromised sites using a different payload. However, all the infected sites pointed to the same domain using the same Coinhive site key.

As one would expect, a lot of the vulnerable websites are hosted by the same provider – Amazon – and they are located in the US. This suggests that Amazon’s users do not necessarily update all of the software running on those servers manually, which opens the door for criminals to take advantage of these issues.

For those who are unaware, the Coinhive mining script is used to mine the Monero cryptocurrency. Due to this currency’s anonymity, it is quickly gaining traction among people who don’t want their transactions to be tracked on a blockchain. It is unclear how much XMR has been generated through these cryptojacking efforts, but rest assured a fair amount of money is being generated from these sites.