This marks a potentially significant tweak on the browser-based miner attack. Previously, preventing miners on sites could be shut down by simply closing the browser. By doing this, you were cutting off the power supply, so to speak, and stopping the miners from using your CPU.
The technique is built on a type of online advertising model call a ‘pop-under’. These are used to load hidden ads and to make sure the window is hard to close. They also sit behind the taskbar on Windows. This means users are unlikely to even see it.
“The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a pop-under which is sized to fit right under the taskbar and hides behind the clock,” wrote Malwarebytes.
It is important to understand that miners are not malware in the strictest sense, but they do use hardware without permission (without corrupting it). Security firms have started blocking Coinhive, which was set up as a legitimate alternative.
As users became increasingly annoyed by ads and used ad-blockers, web owners looked for alternatives. One was cryptomining, and Coinhive was an alternative to advertising. It takes a users’ resources and electricity as a revenue stream.
Impact on Users
One problem is, how much CPU is take is down to the site owner. The Pirate Bay used Coinhive but was forced to made changes. Users discovered the company has accidentally set it to take 100% of visiting CPU.
“Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement,” Malwarebytes says.
“Unscrupulous website owners and miscreants alike will no doubt continue to seek ways to deliver drive-by mining, and users will try to fight back by downloading more adblockers, extensions, and other tools to protect themselves. If malvertising wasn’t bad enough as is, now it has a new weapon that works on all platforms and browsers.”