Two CBS Websites Contained Code to Mine Monero

It appears plenty of websites are experimenting with cryptocurrency mining scripts these days. Now that two sites operated by CBS’s Showtime video network have been identified as containing such scripts, it will be interesting to see how the public responds. Up until now, only niche sites had experimented with this concept, but Showtime is a different creature altogether. No one knows for sure how the code got onto these websites in the first place, though.

Showtime Website Mines Cryptocurrency

Over the past week and a half, there have been numerous stories involving websites which suddenly started using visitors’ computer resources to mine cryptocurrency. In nearly every case, the mining process involved Monero, the only anonymous cryptocurrency in the world today. Although one would need significant computing resources to mine even one XMR these days, running a script on a website can still be pretty lucrative overall.

It is a mystery as to why Showtime would embed such code on two of its websites, though. The JavaScript code was identified over the weekend, and no one knows for sure how it made its way onto the website to begin with. The code is the same as that found on Coinhive, and is quickly becoming one of the most-hated JavaScript code pieces in history right now.  What is even more peculiar is how CBS claims no one on their staff embedded the code into the website.

Indeed, CBS has no good reason to have done so whatsoever. While everyone who runs a website is always looking for new ways to increase overall revenue, hijacking computer resources is never the best option. Additionally, CBS has a reputation to uphold, and one that is certainly not worth damaging for a few XMR mined through a browser. This hints that someone else successfully embedded the code on Showtime.com and ShowtimeAnytime.com without the company’s knowledge, which could prove to be a major problem.

Moreover, Showtime is a paid service, which makes it even more unlikely that the Coinhive code was embedded in-house. Given the popularity of this platform globally, however, it is not entirely surprising that some nefarious individuals may have targeted these video-on-demand portals to embed JavaScript code capable of mining cryptocurrency. If someone effectively hacked the backend of both platforms, CBS will need to perform some proper security checks, to say the least.

One question currently being explored is whether the code in question was inserted using HTML tags related to web analytics provider New Relic. There is no reason to think this provider would purposefully let companies integrate a cryptocurrency mining scipt on its pages, but it shows that the potential attack vectors go well beyond the affected websites themselves. So far, New Relic claims to have had nothing to do with the code itself. Regardless of who is responsible, this sets a very intriguing and dangerous precedent.

It is not unlikely we will see more of these incidents moving forward. Mining cryptocurrency using someone else’s browser is anything but harmless; that much is evident. While it may not be the best way to earn money, it is still an attack vector a lot of criminals will continue to explore for quite some time to come. The code doesn’t stand out on a website either, which means it can remain in place for some time until users report an issue to the site owner.