It appears plenty of websites are experimenting with cryptocurrency mining scripts these days. Now that two sites operated by CBS’s Showtime video network have been identified as containing such scripts, it will be interesting to see how the public responds. Up until now, only niche sites had experimented with this concept, but Showtime is a different creature altogether. No one knows for sure how the code got onto these websites in the first place, though.
Showtime Website Mines Cryptocurrency
Over the past week and a half, there have been numerous stories involving websites which suddenly started using visitors’ computer resources to mine cryptocurrency. In nearly every case, the mining process involved Monero, the only anonymous cryptocurrency in the world today. Although one would need significant computing resources to mine even one XMR these days, running a script on a website can still be pretty lucrative overall.
Indeed, CBS has no good reason to have done so whatsoever. While everyone who runs a website is always looking for new ways to increase overall revenue, hijacking computer resources is never the best option. Additionally, CBS has a reputation to uphold, and one that is certainly not worth damaging for a few XMR mined through a browser. This hints that someone else successfully embedded the code on Showtime.com and ShowtimeAnytime.com without the company’s knowledge, which could prove to be a major problem.
One question currently being explored is whether the code in question was inserted using HTML tags related to web analytics provider New Relic. There is no reason to think this provider would purposefully let companies integrate a cryptocurrency mining scipt on its pages, but it shows that the potential attack vectors go well beyond the affected websites themselves. So far, New Relic claims to have had nothing to do with the code itself. Regardless of who is responsible, this sets a very intriguing and dangerous precedent.
It is not unlikely we will see more of these incidents moving forward. Mining cryptocurrency using someone else’s browser is anything but harmless; that much is evident. While it may not be the best way to earn money, it is still an attack vector a lot of criminals will continue to explore for quite some time to come. The code doesn’t stand out on a website either, which means it can remain in place for some time until users report an issue to the site owner.