Back
Cryptocurrencies mined on hacked WordPress sites

Hacked WordPress sites are used to secretly mine cryptocurrencies

Cryptocurrencies dominated the news in 2017, thanks to a dramatic increase in their value. The oldest cryptocurrency, Bitcoin, increased by an astonishing 1,285% during the year, reaching $12,492 per Bitcoin.

Unfortunately, an increase in the value of cryptocurrencies has attracted the attention of cybercriminals. They have begun placing cryptocurrency mining software onto hacked WordPress websites to generate cryptocurrency. This type of exploit can slow your website’s performance, damage your business’s reputation, and negatively impact your visitors. This guide will share some background information on this increasingly common exploit.

What are cryptocurrencies?

Cryptocurrencies are decentralised digital currencies. They allow users to send and receive payments anonymously. Cryptocurrency transactions are peer-to-peer and performed without the assistance of a financial institution or government.

Nearly all cryptocurrencies are based on a technology called Blockchain. The blockchain is a digital ledger which is used to track anonymous cryptocurrency transactions between different parties. The blockchain is secured with cryptography so no one can discover the identity of people involved in transactions. The blockchain is stored on the computers of many different people and provide a verifiable record of who holds the currency.

Most cryptocurrencies are predetermined currency issuance systems, which means they will limit how much currency is added to the system. Bitcoin, for example, continually adds Bitcoins to the system, but at a slower rate each year. This should result in the currency steadily going up in value at a steady pace. They will stop releasing Bitcoins when they reach 21 million, which will occur in the year 2140.

With Bitcoin, new coins added to the system can be obtained by mining them. Bitcoin miners will perform mathematical calculations that ensure the blockchain stays accurate and complete. It takes a great deal of computer processing power to perform cryptographic calculations and broadcast transactions to other nodes in the system. In return for performing these calculations, the miner receives a small amount of cryptocurrency.

Cryptocurrency mining using Javascript

Most cryptocurrency mining is performed by individuals using their personal computers or by businesses using large clusters of servers. However, some software companies have created software that allows you to mine cryptocurrency using other people’s computers.

A company named CoinHive offers JavaScript applications that mine cryptocurrency via the web browsers of users who visit a website. The code works in the background, using the Central Processing Unit (CPU) power of the visitor’s computer to mine coins. JavaScript cryptocurrency mining tools like CoinHive can be used in many ways including:

Video players

A cryptocurrency mining tool can be programmed to run in the background while the user watches a video

Advertisements

Cryptocurrency mining tools can be configured to run during advertisements

File downloads

Some programs require users to run a cryptocurrency mining tool while they have downloads running in the browser

Computer games

Cryptocurrency mining tools can be made to run while a user is playing a game. Users can also be asked to mine cryptocurrency in return for access to a game or in-game items.

Recaptcha tools

Cryptocurrency mining tools can be combined with Recaptcha notices, so users are forced to run the tool to access specific content.

Coinhive is the first company to produce these JavaScript cryptocurrency mining tools, but many other companies are getting involved including CryptoLoot, MineMyTraffic, and JSEcoin.

How hackers exploit JavaScript cryptocurrency mining

Cybercriminals will often hack a website to inject malware into its source code, infecting the computers of visitors to the site. The kinds of malware commonly used by hackers include keyloggers, viruses, and other forms of spyware.

Some hackers have already discovered the profitability of placing JavaScript cryptocurrency mining software onto the websites that they hack. This approach allows them to earn cryptocurrency as the mining tool harnesses the processing power of visitors to the site.

Hackers will start by identifying an exploit that gives them the ability to insert code into WordPress files. This might be an out of date WordPress plugin or vulnerability in your server’s software. They might also use a man in the middle attack or a brute force attack to gain access.

Once they have access, they will place cryptocurrency mining software into the source code of your website. When a visitor opens your site, the cryptocurrency mining software will run in the background without their permission.

Signs that your website is mining cryptocurrencies

If your website has been affected by a cryptocurrency mining exploit, there will be an immediate increase in CPU activity when you open a page. You might notice a few of the following issues occurring:

  • Your computer’s fans might become louder.
  • As your computer’s CPU becomes more active, it will become warmer. The fans on your laptop will spin faster to cool the CPU down, which will result in increased noise levels.
  • Your computer’s performance might become slower.
  • If your CPU is over-burdened by the cryptocurrency mining software, it may become noticeably slower.
  • The computer’s CPU runs much faster.
  • If you have performance monitoring tools open, you will see a significant increase in CPU load on website infected by cryptocurrency mining malware.

If you are operating a business, having a cryptocurrency mining exploit on your website can have serious repercussions. For starters, visitors might realise the site is compromised, which will negatively impact your businesses reputation. They may also find it harder to navigate the website or make purchases if their computer is slowed down by excessive CPU activity. It might lead to lost sales as customers leave your site quickly to regain complete control over their computer.

How common are cryptocurrency mining exploits?

A recent report from software development company AdGuard suggests that 200 of the top 100,000 websites are hosting suspicious code including JavaScript cryptocurrency mining tools. While that sounds like a drop in the ocean, many of these sites are very large and attract millions of visitors each month.

They found within a 3 week period, more than 500 million users had unknowingly had cryptocurrency mining software running on their computer when they visited these websites. Many of the websites running mining tools are not aware that their site has been compromised.

What does an exploited WordPress site look like?

Website monitoring company Sucuri recently wrote an excellent post identifying some approaches that hackers use to install cryptocurrency mining malware. One of the exploits they detected was a malicious injection of CoinHive miner software.

The injection loaded a remote JavaScript file located at security.fblaster[.]com. This file contained a short script that triggers CoinHive JavaScript file when the page loaded. The staff at Sucuri followed up on the script and discovered that the domain it came from had previously been used to perform malware attacks on WordPress files.

They found the exploit works by making changes to the following WordPress files:

wp-admin/admin-header.php


/**
* WordPress Administration Template Header
*
* @package WordPress
* @subpackage Administration
*/
if(!isset($_COOKIE["wpt"])){setcookie("wpt","4376",time()+3153600000,"/");}
...

The WordPress administration login cookie was set to 100 years in the future, presumably to allow the hacker to keep logging in with the same cookie.

wp-includes/general-template.php

...
function wp_footer() {
/**
* Prints scripts or data before the closing body tag on the front end.
*
* @since 1.5.1
*/
do_action( 'wp_footer' );
require_once('options-footer.php');
}
...

This file had a new section of code which included a new file called options-footer.php. This is the malicious file that is responsible for calling in the remote CoinHive file on every page via JavaScript. In this case, reverting these two files back to their original state and resetting user passwords would be enough to remove the malicious code.

A threat expected to grow

As the value of cryptocurrencies continues to skyrocket, you can expect to see many more cryptocurrency mining exploits on the Internet. Fortunately, WordPress developers are well aware of these kinds of exploits and doing their best to keep them under control.

If you notice a spike in CPU usage, be sure you check for unusual files that have been recently added to your WordPress installation. You can also install a security plugin like WordFence, which will scan your WordPress files for any irregularities.

Thanks for reading Hacked WordPress Sites Are Used to Secretly Mine Cryptocurrencies. For more WordPress security articles, subscribe to the blog or follow us on social media.

Darius S.

Similar Posts

Coinhive closing

Coinhive closes – hackers will lose their favorite tool of exploitation

Coinhive development team published a blog post about the discontinuation of Coinhive system. Yes, the same Coinhive that we talked about ...

Cyber Kill Chain - WordPress security perspective

Cyber Kill Chain and how to protect WordPress against all its steps

Cyber Kill Chain is a term defined by the Lockheed-Martin Corporation scientists to describe the chain of steps needed for intrusion into ...

CIA triad - information security

CIA triad in the WordPress and WooCommerce security perspective

CIA triad is an abbreviation for confidentiality, integrity, and availability. The CIA triad is considered to be the basis for all ...

Leave a Reply

Your email address will not be published. Required fields are marked *