School, charity and file-sharing websites have been caught out by scammers who are using them to generate crypto-cash.
Hackers have managed to install code on the sites that uses visitors’ computers to “mine” the cyber-currencies.
One scan of the most popular websites found hundreds harbouring the malicious mining code.
By getting lots of computers to join the networks, attackers can quickly generate cash.
“This is absolutely a numbers game,” said Rik Ferguson, vice-president of security research at Trend Micro.
Malicious use
Mr Ferguson said crypto-currencies operated by getting lots of computers to work together to solve the tricky mathematical problems that establish who spent what. This establishes a digital ledger, or blockchain, of spending activity with a particular coin.
The number crunching is called mining and new crypto-coins are handed out to miners who are the first to solve the complex sums.
The more computer power that someone can amass, said Mr Ferguson, the more coins they can generate.
“There’s a huge attraction of being able to use other people’s devices in a massively distributed fashion because you then effectively take advantage of a huge amount of computing resources,” he said.
“Crypto-coin mining malware is nothing new,” said Mr Ferguson, adding that the growing value of established cyber-currencies and the emergence of potentially valuable new ones was driving malicious use of the scripts.
A security researcher has scanned the code behind the million most popular websites to see which ones are running the widely used Coin Hive mining script.
Many sites use this and others, such as JSE Coin, legitimately to generate some money from their steady stream of visitors. Metrics published on the Coin Hive site suggest that a site that gets one million visitors a month would make about $116 (£88) in the Monero crypto-currency by mining.
On many sites found in the scan, the way the script was concealed suggested it had been uploaded surreptitiously.
The BBC contacted several of the sites in the UK running the Coin Hive script and those that responded said they did not know who added it to their site. Some have now deleted the mining code, updated their security policies and are investigating how the code was implanted.
Coin Hive’s developers said it had also taken action against malicious use.
“We had a few early users that implemented the script on sites they previously hacked, without the site owner’s knowledge,” they said in a message to the BBC. “We have banned several of these accounts and will continue to do so when we learn about such cases.”
It encouraged people to report malicious use of Coin Hive and said any site using it should inform users that their computer could be enrolled in a mining scheme. Some security programs and ad-blocking software now warn users when they encounter miners.
Security service Cloudflare has also suspended the accounts of some customers after they started using mining scripts. It explained its action by saying that it considered the code to be malware if visitors were not told about it.
Cloud cracking
Surreptitious coin mining is not just a problem for websites that have been hit by hackers. Many others across the tech world are moving to tackle the problem.
Last week, two senior officials in the Crimean government were reportedly firedbecause they had started using a lot of official machines to mine bitcoin. The creators of the FiveM add-on or “mod” for video game GTA V released an update which stopped people adding miners to their code.
High-profile websites including the Pirate Bay, Showtime and TuneProtect have all been found to be harbouring the script.
Prof Matthew Caesar, a computer scientist at the University of Illinois, said mining was also starting to cause problems for companies that offered cloud-based computing services.
Prof Caesar said he and student Rashid Tahir started investigating the problem after conversations with several cloud firms revealed that all of them had experienced trouble with coin-mining.
“If someone can hack into a cloud account they have access to a huge amount of computer power,” he said. “They can get huge value from those accounts because there’s not much limit on the number of machines they can use.
“Often,” he said, “the billing systems the cloud services run do not reveal what’s going on. Someone can get in and cause a lot of damage before they are shut down.”
Victims can be left with huge bills for servers that attackers rented to do their coin-mining, he said.
The Illinois researchers are developing a monitoring system that can spot when the mining software was being used, he said.
The ways that modern processors handle the complicated maths demanded by crypto-currencies are relatively easy to spot if someone goes looking for them, said Prof Caesar.
“We’re in the process of working with one cloud computing company to deploy the monitor in their network,” he said.
“We’re also looking at how we can do this on personal computers as well,” he added.