Sometimes called drive-by mining also a great name.

This is the idea that

we can trick someone instead of maybe putting a virus on their machine

I mean it might still be a virus, but we can trick them into mining some cryptocurrency for us.

And that way we make a profit

Think of it like an alternative in crime sensitive ransomware where you trying to get money off someone by taking control of their files.

We're now just trying to use some of their CPU power to earn us some money

Right, so theoretically they mine some coins for us. They send them to us and then we

We profit from those

So this all came about because a company called Coinhive decided that maybe instead of showing people adverts online

They could just use a little bit of their CPU to mine you cryptocurrency while they're browsing and that way they don't have to look

at adverts and you still get paid for your your website. Right now that

Actually is not a bad idea or in some sense

The idea would be but you go to let's say a newspaper and instead of seeing a load of banner ads

You see a little ticker that says you're mining some cryptocurrency while you're on this website

and you know

We're gonna make a small amount of money off this in exchange for you not having any ads and reading the news for free, right?

Okay, and I mean the amount of money you're gonna spend a couple of minutes reading an article

It's not very much right if you even if your CPUs on a hundred percent, this is JavaScript

So you you go to a website. It serves you a script which instructs your computer to start mining these coins

The problem is that it wasn't long before people thought well, we don't maybe we should just not ask permission, right? We should we should

Have them mine all the coins all the time. Right? And the other thing was that coin hive has a

Feature, which lets you only use let's say 60% of a CPU

So there's some overhead for Mouse

Events and things that are kind of important to keep the operating system running and of course

The malware programmers thought, well you know, 100%, right? So I've just got this web server set up on my machine

I've extended my classic blog. This is the world's best blog, of course, right?

It looks good and it's got good content on it [...] with a nice banner ad which also happens to mine me some Manero cryptocurrency.

Right so let's have a look, so you can see here

I've got my blog before it's got my comments and my cat pictures I had before and it's also got this lovely banner ad which

I made for my shop which is not a real shop. Don't send me any money.

You will also notice now if you look at my CPU monitor

Which I've also got running

It's sitting on 100% and if we leave it for a minute

We're going to start hearing my fan get louder and louder and louder because basically the entirety of my CPU is mining Monero cryptocurrency now.

I mean I didn't notice the mouse is still responding. I mean, you know it's a modern PC

But you know, you wouldn't necessarily know apart from the fact that your fan has spun up. Now, it's also not plugged in

So the battery is going to be draining pretty fast.

The good news is that this is already less common than it was just a few months ago because Chrome, Firefox

You know

Antivirus vendors and things like this are all cracking down on these kind of scripts. Now Coinhive as I pointed out,

Is actually a legitimate company. They weren't intending on people abusing this service

So they've now got an opt-in version where a little pop-up turns up and you can say I do opt-in for this time instead of

Ads or something like this, right that isn't blocked by browsers because that's a legitimate commercial

Alternative to ads but of course Coinhive aren't the only people that are making these, right?

So you're going to have clones you're going to have malware that does this and you can just imagine that instead of getting ransomware

You'll just get something like this and runs on your PC instead

And the same is true also for phones. So you might download an app, which seems too good to be true

Oh there's not even any adverts on this free game and maybe it's because it's using up extra of your CPU to mine

Crypto currency if you were doing this in Bitcoin, you wouldn't you wouldn't get a look-in. Essentially. I could mine with my CPU

Bitcoins, you know for hundreds of years and never get any, right? Because compared to the size of the Bitcoin network

We've all their dedicated hardware. My CPU is a nonentity essentially

Manero is slightly different Monero has a a

Hashing function, but it uses in the mining process

which is quite hard to do on a GPU and

So you get some but not a lot of benefit from having a dedicated rig, right? Two times, maybe.

Given the cost of a graphics card not very good

so actually you could have a lot of Android phones competing with big graphics cards in Monero specifically and

and

So in some sense there is a point to do it.

Now, that's one of the reasons it was designed this way to allow people on phones and things to mine.

But it has this benefit that or benefit depending on who you are that it's a good target for this kind of

malware, right? Because if you have a website where everyone is mining

Monero for you. It's not gonna make you a huge amount of money

but it'll make you some and Monero is one of these currencies that's a little bit hard to keep a track of and

So maybe you can get away of it

That's that's the idea.

My browser and my extensions block it, my antivirus on my machine blocks it, the university firewall blocks it.

So, I'm currently I have all of those disabled and I'm rooting through my 4G phone connection. It works fine at home

I know good or bad

So, you know, like I say, vendors of things like antivirus are taking a lot of steps to

To fix this. I'm gonna close this now because it's it's not that loud actually

Sean: It's basically the thing that says: "Many things for sale, buy now." That's got some JavaScript [...]

Mike: Well, yeah, I mean, this is just an image, but yeah ...

Just next to it is some script that does it. You could imagine that if I was running a like a newspaper

Website I'm being served ads by some ad company

All I have to do to get in there

Is pay some money to have an advert deployed which also happens to have this script. No one's going to go to my blog, right?

It's not online but also because no it's rubbish.

So what I if I was an attacker

It would be much smarter for me to try and take over a site

Where lots of people are going. This came into a news because in February 2018 an

Accessibility website that are just like screen reading and things like this was hacked and their JavaScript file had some

Monero mining code

Inserted into it and this website was serving JavaScript to about 4000 UK and US government websites among others

including the Information Commissioner's Office and various high-level government websites.

This meant that when you went on those web sites to let's say find out about something important

You were actually mining Monero for the attackers not ideal

Sean: Could you work out who did it?

Mike: Absolutely, well no all you can all you know is I mean assuming ...

Sean: the wallet

Mike: All you know is the address that the Monero is being mined to right and as usual

You've got the traceability issues of that. If they use that address to buy like pizza to their house

It might be slightly easier to find them. But if they try and hide it, it's gonna be harder

This is the code that was inserted into all these government websites. This is not my code.

My code is much simpler than this and it's also not obfuscated

So this has been encoded to try and make it harder for anti-viruses to find and then this is deobfuscated version

Which is essentially looking up the Coinhive JavaScript and then pointing it towards this address

Which you shouldn't mine Monero for because they're malware writers.

Sean: They weren't even writing their own JavaScript, they were using Coinhive's actual -- Mike: Yeah

Yeah, I mean, it's pretty lazy, really.

Yes, so I think now some are writing their own JavaScript or embedding it into Java apps or for Android phones and things like this

But yes, when Coinhive first came out. This wasn't I would say an unexpected side effect of their new idea.

Like I say they've kind of come up with a more legitimate way of doing this now and they have interesting things like

CAPTCHAs which do a little bit of hashing

as an alternative to pick these

Images that have road signs in, right? Just just do a little bit of CPU, which is interesting enough

But yeah

So I think going forward we're going to see fewer of these deployed in a browser

Unless they can find a way of getting around these new browser restrictions

But they might start to find their way into more actual malware, right? Maybe instead of encrypting everyone's files

you just take over their CPU for a while and

Make some money that way or do both at the same time. Both: Or do you buy for the same time?

Mike: Yeah, why not?

Sean: The free games thing is quite classic because I mean we're all used to just getting games for free and expecting you that purchases

Mike: Yeah, when you download an app, it's got free access to your CPU. It could do this

You'll know because your phone will get hot and your battery will go [... noise of draining battery ...] like this

But that happens with some games that are poorly written anyway, so how do we know that? You've got a hope?

I suppose that there's some vetting process on the apps, which might hopefully detect this kind of stuff

But it's not always going to be easy to find

And so you can expect a few of these to pop up from time to time

We're going to say "document.write('')"

Okay, now that's it's going to write nothing to the screen, right?

So my comment on my blog, it's just going to be a script that does nothing. Okay, that's not very interesting

So let's do something a bit more interesting our PHP file takes the cooking gives an image back

So let's just show it on the screen, right? So image tag in HTML. is the image tag ...