SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 79: Cryptocurrency and Your Web Browser

Posted on March 8, 2018

Last year, we visited the subject of Bitcoin and the technology behind it, the blockchain, in Episode 59 of The Checklist. In just a few short months since that episode, the price of one Bitcoin exploded, hundreds of new cryptocurrencies appeared, and company after company seems to be jumping on the bandwagon. By the way—you’re now listening to The Blockchain Checklist by SecureMac!

We’re only kidding — but blockchain and cryptocurrency are a bigger deal than ever before, and while it may excite investors, these technologies are also beginning to have a bigger impact on the average user; not always for the better, either. It started when we began seeing advertising networks infected with malware that used CPU power from visiting users to mine cryptocurrencies. Now, this practice is going mainstream, with some websites considering replacing ads with crypto mining!

On today’s Checklist, we’re running down what you need to know about the relationship between cryptocurrency and your web browser. We’ll look at:

  • The basics behind what’s going on
  • What are the potential benefits?
  • Crypto mining gone wrong: the role of malware
  • What you can do to prevent mining on your Mac
  • Is this the way of the future?

The basics behind what’s going on

What does it mean for a website, whether with malicious intent or not, to “mine cryptocurrency” using your computer? If you ever wanted to feel like you were “living in the future,” this might be one of the things to make you feel that way — it’s certainly stuff that sounds like it came from science fiction. We know that cryptocurrencies are a form of digital money, though these days most crypto is treated more like an investment vehicle than as a currency you’re meant to spend on tangible goods and services. Crypto “coins” have value for the same reason “real” money does, which is because many people agree it is valuable. There’s more to it than that, of course, but that’s another can of worms for someone with an economics podcast to unpack.

Cryptocurrency works by solving complex math problems with a computer to validate transactions or create new coins. When a computer performs cryptocurrency mining, for example, one function it may perform is to generate a digital key to complete a transfer of cryptocurrency from one user to another. As a reward for performing this vital function, the miner receives a portion of the currency themselves. This is a concept central to the entire operation. Combine that with the blockchain, which is like a big digital record book of all the completed transactions, and you have the essence of cryptocurrency.

Some cryptocurrencies, such as Bitcoin, require heavy-duty resources and lots of computational time to validate transactions and mine new coins. Others have been designed to be zippier, with bigger transactional “blocks” and more streamlined mining algorithms. It’s this latter category, in which currencies such as Monero exist that we’re most concerned with today. As cryptocoins become more valuable and demand rises from those with “real” money to purchase the coins, both the bad guys and the good guys have recognized an opportunity.

Think about your computer for a moment. What is it working on right now? If all you’re doing is listening to this podcast, without running much software or anything intensive in the background, chances are the answer is “not much at all.” In other words, your computer has a lot of idle resources. Since your CPU can juggle tons of tasks at once, it’s not often that it’s running at full capacity. That’s usually only the case when you’re doing something complicated, such as rendering video or a 3D animation. With all that extra CPU power laying around, that means a lot of potential time that could be spent mining cryptocurrency. Now, here’s where your web browser comes into the picture.

By embedding special code into a website or an advertisement served on a page, third parties can tell your computer to start mining crypto with those idle resources. In a malicious context, that might mean turning the dial to 11 and using as much power as the program can find available. For others, such as legitimate websites looking to replace ads, it often comes with a built-in limiter designed to prevent the mining from causing a noticeable slowdown.

This mining could happen through an exploit in the browser or by using more legitimate methods. In either case, you won’t see any personal benefit from contributing your computer’s calculations to someone else’s mining effort. Whatever currency the operation generates goes to the person operating the website or the malware that runs the miner. In the case of Monero, the transaction record is anonymous, so it’s impossible to tell exactly who the funds are headed towards.

Although we’ve seen crypto miners in the undercurrent of security news for the past year or two, it is only in the last few months that we’ve begun to see a massive spike in the number of stories about it hitting the news. Government sites have been hacked to mine crypto, and even the cloud servers of businesses such as the electric car company Tesla have had their resources used to create digital wealth for other people. At the same time, online publications like Salon have begun trial efforts to allow users to voluntarily mine crypto in exchange for no longer seeing ads. Is this a good thing?

What are the potential benefits?

We’ll touch on the downsides and the ways the bad guys use this technology in a moment, but for now, let’s focus on the trickier question. Is it really okay for another website to use your computer’s resources (and by extension, the electricity you pay for) to generate cryptocurrency for the operator? It’s a tough question, and unfortunately not one that has any easy answers. We can start by considering sites like Salon and the way they’ve chosen to embrace the technology as an alternative to ads.

So far, it looks like Salon is the only major site to push forward with an attempt to require user permission before running a miner. Many of us use something like AdBlock due to the frustrating state of web ads, not to mention the risk of malvertising. As a result, some sites have seen their ad revenues decline. While businesses may choose to offer a subscription model that provides ad-free content, Salon has opted to give users three options: turn your ad blocker off, allow the site to use your “spare” CPU resources to mine currency, or to proceed as normal. It doesn’t take a giant leap of the imagination to think of a time in the future when that third option is no longer on the list.

On the one hand, though, we have a clear and obvious benefit: a potentially simpler, more straightforward way to passively support a website you love, without the need to look at ads. From this perspective, it’s easy to see why Salon considered this a good idea. Not only is the value of cryptocoins overall on the rise right now, but users hate ads, right? Thinking this way, it makes sense to ask users if they want to run a miner while they visit the site. As long as a visitor is fully informed about what’s going on, and so long as the miner is set up in such a way to avoid over-taxing a visiting user’s machine, it might not seem like there is any problem. After all, the user consented, right?

That may be so, but we also know that many of the people browsing the web aren’t always the most tech-savvy individuals. Do you think your grandparents will have a good sense of what such a disclaimer means right off the bat? On top of that, it is possible that such a route might not be optional in the future. One can imagine a world in which miners replace ads in a widespread manner, and it becomes normalized to the point that we just accept these scripts instead of looking at ads. Again, to play devil’s advocate, that might not be all bad — it would indeed remove the overall threat of malvertising from play. You can’t infect users through ads if there aren’t any on the site at all, of course.

However, there are some definite downsides. To start with, allowing third party websites to run code on your computer doesn’t seem like a good precedent to set. What if a hacker finds a way to exploit the methods used by the website? What if instead of mining crypto, they find a way to dump malware onto your machine through this route? This is no different than installing software from an unknown source, which we’ve warned against many times before.There are risks to consider.

It is also worth asking yourself if you really want to potentially enrich another website this way. Idle CPU cycles don’t appear out of thin air, and those calculations aren’t free — you’re paying for the electricity it uses up in the process. While a less-aggressive miner might not cause a big uptick in your consumption, it is easy to drive up your computer’s power usage with this software. When you look at an ad on a website, it’s no more taxing to your CPU than loading the webpage. A miner that runs continuously as long as the site is open means you’re more likely paying for the site’s operation, even if indirectly.

It’s one thing if sites want to ask for permission to use your idle resources, but it’s another when a business doesn’t even ask first. Some companies have already suffered from malware infections that let web miners run on their sites, as was the case when users recently detected miners running on infected YouTube ads. Starbucks in Argentina, for example, was mining Monero through the company’s customer rewards website. Popular file-sharing site The Pirate Bay also dabbled with undisclosed Monero miners until a backlash put the practice to rest. These are far from the only examples of entities pursuing cryptocurrency gains under the table.

Crypto mining gone wrong: the role of malware

In some cases, we don’t need to wrangle with the complexity that surrounds ads on the web and the ethics of using your computer itself to make someone else money. Sometimes, it’s just plain wrong — and we’ve seen plenty of instances where the bad guys have looked for ways to deploy crypto miners, both through standalone malware and by infecting websites and advertising servers. In fact, we could see this form of malware come to replace the widespread usage of ransomware quickly.

You need to hit a lot of users far and wide to make money with ransomware, but crypto miners, which one can disguise and hide, can provide a reliable source of revenue—especially if you can get them running on tens of thousands of machines at once! Like with a lot of the hacking for financial gain we’ve discussed on this show, it all comes down to a numbers game. One or two users won’t make you rich, but ramp up the numbers and you multiply the profit exponentially. With that said, let’s discuss a couple of the other big events recently where we’ve seen web browsers hijacked for mining activity.

To make this happen, bad guys aren’t usually creating their own crypto miners from scratch. Both legitimate sites and illegitimate malvertising miners tend to use the same service today, called Coinhive. This lightweight Monero miner makes it easy to run the miner’s code in the background silently. When you open a tab with a website running Coinhive JavaScript, your CPU starts running the script and mining. When you close the tab, it goes away — so at least in these cases there is no actual infection happening.

The Los Angeles Times was breached just recently thanks to a misconfigured web server. Hackers could gain read-write privileges on the server, which they then used to inject the Coinhive script into specific pages on the LA Times website. Since Coinhive is highly configurable, the attackers took advantage of that fact and set the script to run at a low-level intensity. While some of these efforts simply max out the script’s capabilities, hoping to hit hard and fast while they have access to a user CPU, this time things proceeded at a slower pace. Experts speculate that the miner could run for several weeks without detection in that scenario.

Across the pond, the UK’s National Health Service and the Information Commissioner’s Office websites were both struck by Coinhive mining. In this case, the bad guys took advantage of some accessibility software called Browsealoud. Meant to help visually impaired visitors by reading off the text on a page, an exploitable vulnerability allowed it to inject the mining script. Overall, more than four thousand websites ended up affected by this vulnerability. This isn’t an unusual story, either. In recent months, untold numbers of sites have experienced brief or prolonged problems with Coinhive scripts and other mining efforts. Browser extensions have been hit too.

Sometimes they’ll even go outside your web browser — we’re hearing more reports of Internet of Things devices compromised to run miners. Enterprise-level attacks on businesses seek to deploy the same type of software across many computers in the same office to ramp up the amount of mined currency. It didn’t take long into 2018 for us to see the birth of the next fad among the black hat hackers out there.

Of course, malware aside, there’s always the fact that anything like this is going to have the potential to slow down your computer. Just think about the role that too many tracking cookies can play in bogging down your daily operations. By some accounts, too many cookies can slow down your web browsing experience by almost half. If you’re the type of person who keeps many tabs open at once, imagine the impact on your machine if two or three or more of those tabs were running crypto scripts. Before long, the computer could be at an absolute standstill — and that could be the case with both legitimate or illegitimate mining efforts. With cookies, you can use software to clear out all the junk you don’t need, but what can you do about sites that might not give you a choice before using your processor?

What you can do to prevent mining on your Mac

So, in hearing all this, is your first thought just “I don’t want anything to do with any of this”? Don’t worry: you’re not alone, and it’s an entirely reasonable thought. Whether more sites roll out Salon-style ad replacements or if the hackers continue to breach sites to run mining software, it’s ultimately your right to decide how your computer’s resources get used. So, what do you need to do to make sure that you’ve minimized your risk of exposure and don’t have to worry too much going forward?

First, use a reliable ad blocker if you aren’t already. So far, the major players such as AdBlock and uBlock Origin don’t yet automatically block mining scripts. However, users have put together custom filter lists that you can use to tweak your installation so that you can prevent the scripts from running in the first place. It’s easy to set up and a good way to guarantee that you can avoid running into the most common miners in use around the web. Since a lot of the “attack” style injections occur through compromised ads, it’s a safe bet that by blocking ads in general you can reduce your exposure to this threat. You can also set up filters to specifically block the Coinhive domain for an added layer of safety.

If you don’t already, consider using an extension such as NoScript for Firefox. Safari and Chrome have similar extensions. Their goal is to prevent unnecessary JavaScript and other code embedded in websites from running and slowing down your browser. While it can take some tweaking to figure out which sites you should allow certain scripts to run, overall this will make your web browsing experience much safer. It’s worth considering regardless of the miner threat.

Second, keep your security software up to date. Some, but not all, antivirus and anti-malware programs can detect when a miner is running on your machine. This malware could be standalone malware, or it could be something in your web browser. In either case, we’re likely to see more of these things cropping up throughout the year and going into the future. It’s always a good idea to keep your security programs updated, and this is no exception. As miners become more understood, we could start seeing more proactive blocking efforts on all fronts.

Finally, get in touch with what regular operations are like for your computer. The simplest way most people detect when a miner uses their resources comes from looking at the resource usage on your machine. Are things running a little slow? Try looking at your CPU usage statistics while browsing the web. Do you see a big spike when you’re on a particular page? Maybe instead you notice a massive drop-off when you close a tab. These are tell-tale signs that something on that site is causing your computer to work harder. It’s not always a miner at play, but these days it is more and more likely. When you notice a problem like this, you can try contacting the site administrator in case they’re unaware, like the LA Times was. You can also set up stricter filtering or avoid the site altogether.

Is this the way of the future?

There’s two sides to this coin, one clearly bad and one more of a mixed bag — but in the “should we or shouldn’t we” debate, there’s also the question of the future to consider. How much should we expect this to become the norm? What factors could influence the way cryptocurrencies and their interactions with web browsers evolve over time? There are a few things that we can think about here.

The traditional model of advertising on the web has a real possibility of going the way of the dodo with the advent of cryptocurrencies. For both regular businesses and sites that have trouble attracting business from typical advertisers, this option provides a way to defray operating costs in a way that, ideally, doesn’t have much of a direct impact on end users. Adblockers have led to a decline in revenue in a broad manner across the web. So long as sites are on the lookout for ways to make money and stay in business, technologies like cryptocurrency will remain of interest. It’s hard to deny that a better way to support the web would be welcome, but as we’ve seen, this is a double-edged sword.

We also need to consider the potential future for cryptocurrency itself. We only really began to see these efforts take off in earnest around October of last year when Bitcoin went on a crazy run to hit nearly $20,000 per coin before sliding back down to around $10,000. Will it always be this way? Will Monero and other fast-mining coins always be worth enough to make these efforts a good idea? The volatility in the price of crypto coins, plus the uncertain future of regulation and legislation, means that it may not be here to stay. On the other hand, it could become enshrined as a legal way to generate revenue and transact business. There’s really no telling. If the crypto market collapses, though, sites won’t want to continue to rely on such a risky way of making money.

The association with malicious or underhanded efforts could be damaging, too. How can we tell the difference between helping a website stay in business and enriching some random hacker? What if sites decide not to inform users that they’re contributing to a mining effort? There are lots of issues to untangle here over the next months and years. For now, the best we can do is look at how to respond to concerns as the technology evolves.

With that, it’s time to draw this week’s discussion to a close. Where cryptocurrency will go from here is hard to predict. Will mining come to replace ads and transform the web as we know it, or is this a fad that we’ll look back on in a few years to laugh about? Only time will tell — but it’s worth adjusting your settings and keeping an eye out for slowdowns if you’re concerned about the impact on your machine. While there’s nothing inherently wrong with the practice, one thing is for sure: it can be tough to tell the difference between legitimate usage and malware.

If you’d like to check out our previous episode about blockchain technology, or if you just want to take a trip down memory lane to listen to some of our previous episodes, you can find them all right here in our archives alongside complete show notes. Got questions, comments, or ideas that you’d like to share with us? We’d love to hear from you — just email the team at


Join our mailing list for the latest security news and deals