Monday, October 16th 2017
Politifact Sees Unsactioned Introduction of Web Miner, Vows to Investigate
This here is an issue that this editor has been fearing for a while, and that we here at TPU have called our users' attention to in the past. It's bad enough when websites willingly implement web mining scripts absent of users' consent or simple knowledge. Opt-in mining as a contribution to a website's revenue would be the best way to go around the issue; however, absent that, a simple opt-out capability wouldn't be much worse. But if stealth usage of a site viewers' computing resources is bad, what then can be said when the site managers themselves are unaware of the implementation of a web miner?
This is what happened with Politifact, the US politics fact-checking website, which is but one of hundreds of the world's top traffic websites that have seen the stealth introduction of these web mining scripts - against the will of the site managers. In the meantime, Politifact has brought down the offending code and has vowed to investigate, but this opens up Pandora's box, really. Generally speaking, these JavaScript apps are running code hosted on another server that the end user - and sometimes even the site hosts - can't inspect or don't expect to have to inspect. And this is easier to do than one would imagine; there's a lack of protection against JavaScript routines like this one. And where there's potential for profit, there's abuse; and that's what we're seeing. It also doesn't help that injecting the necessary JavaScript into the front page of a website is much easier than a full blown hack into a website's databases; and once the code has been shoehorned into a website's code, it runs itself, hijacking users' CPU cycles and putting the resulting Monero coins into a designated wallet.
Ad-blocker company AdGuard has released a blog post in which they presented some results on the state of web mining; in it, the company found that 220 websites launch mining algorithms when a user opens their main page - and these aren't your end of the Internet websites. These are estimated to boast of an aggregated audience of 500 million people from all over the globe - the Internet is mostly borderless, for everything that's positive about that - and negative. And this has happened in barely more than a month - Coinhive started offering their "mining as a service" code just a month ago, in the 14th of September. AdGuard estimates that these 220 sites' joint profit currently stands at over US $43,000. Those aren't millions - yet. But keep in mind this is money that has been made in three weeks at almost zero cost.
As we've mentioned before, if you want to be protected from such shenanigans, use an adblocker. These usually get the job done in blocking those extraneous bits of code, and will generally be enough to block this kind of scripts. uBlock Origin, AdBlock, AdGuard, or even some mining-specific blockers like AntiMine, NoCoin, and others. The choice is yours. Web based mining, however, is increasingly looking to be a dark cloud for users' rights on the Internet, and while the problem is a mere smoke column on the grand scheme of things right now, expect this trend to spread like wildfire.
Sources:
Tech Crunch, Ad Guard
This is what happened with Politifact, the US politics fact-checking website, which is but one of hundreds of the world's top traffic websites that have seen the stealth introduction of these web mining scripts - against the will of the site managers. In the meantime, Politifact has brought down the offending code and has vowed to investigate, but this opens up Pandora's box, really. Generally speaking, these JavaScript apps are running code hosted on another server that the end user - and sometimes even the site hosts - can't inspect or don't expect to have to inspect. And this is easier to do than one would imagine; there's a lack of protection against JavaScript routines like this one. And where there's potential for profit, there's abuse; and that's what we're seeing. It also doesn't help that injecting the necessary JavaScript into the front page of a website is much easier than a full blown hack into a website's databases; and once the code has been shoehorned into a website's code, it runs itself, hijacking users' CPU cycles and putting the resulting Monero coins into a designated wallet.
18 Comments on Politifact Sees Unsactioned Introduction of Web Miner, Vows to Investigate
Pirate Bay Mines Coins in Your Browser - Revenue Model of the Future?
:shadedshu::shadedshu::shadedshu::shadedshu::shadedshu:
Here's your problem. The ones who are responsible who create websites for these platforms, do not even fairly audit their code, do not even know what the hell they are doing sometimes. You might wonder why certain websites are being defaced or in this case, hacked and altered JS code, but it's simply due the fact that google is your biggest friend seeking vulnerable websites.
Websites these days are being clicked together rather then actually being custom work for the client. Yes clicking is far more easy, but here's where your culprit is. The unauditted code, the risk of being hacked, and the risk of infecting all your visitors with either malware or some bogus JS.
Now you got half the world going for an adblock, making revenue on a genuine website even more harder. I've used to crack websites in the past. These where usually your triple x websites where i'd create a login for you for 5$.
I've learned alot about defacing, hacking, cracking and all. This is simply hackers targetting big websites with a huge amount of traffic where these things would profit at maximum level. The fault is actually behind the people who build/maintain that website.
I've used to start with shared hosting very long time ago but after a clusterfuck of fails i decided to take measures into own hands. The problem esp. with cheap hosting is that often issues like other users who mess up their website(s), IP's being blacklisted into RBL lists, google that does'nt trust your neighborhood that much, downtime(s) unannounced often or maintaince for no reason etc etc.
I've came a long way from working in hosting business as well. Both web & gaming servers basicly. My task was to maintain a half rack full of linux server(s) and one simple Windows machine. I just want to do what i do best and that is work on the technical things, not worry about updates, or grab for a manual when things go wrong.
That's what i pay people for.
I'm dropping this here as I don't really understand the logic of that at all.