Check Point Researchers have recently discovered a crypto-mining script running through Morfix, the popular Hebrew to English online dictionary, without its users’ knowledge or permission.
The mining was operated by a JavaScript, originating from a third party advertisement network, which was injected into different locations over the web page, and was unknown to Morfix.
Check Point researchers notified Morfix, who immediately removed the third party code from their website.
With a global Alexa ranking of 17,852 and as high as 65 within Israel (as of Dec’ 17), Morfix is used heavily throughout Israel and worldwide. it can be confidently considered that the crypto-miner injected to Morfix’s website had reached tens, if not hundreds, of thousands of users.
As reported by Check Point Researchers earlier this year, online miners is a growing trend amongst websites. We now see a different example of this trend, as an ad network takes advantage of the publisher’s website, and its users.
How It Works
The carrier website initially runs a script that scouts out whether a user has an ad-blocker implemented. Upon finding such an ad-blocker a second script is run that covertly utlizes the user’s CPU power to mine the Monero crypto-currency in the background instead.
The script which checks for the presence of an ad-blocker
The hidden instance that redirects to the crypto-miner
Granted, the CPU usage level climbed to nearly 50% when browsing to Morfix by the time it mined Monero over our labs, compared to approximately 1.2% on other browser tabs.
A CPU usage of 50% may not sound too high, however, when used in combination with other heavy CPU instances (such as online gaming), this extensive oppression of the computational resources usually leads to a dismal user experience while browsing the Internet, and eventually may clog the CPU and crash the browser.
The CPU level rises to almost 50% in the tab running the crypto-miner
Alexa rank for ‘morfix\.co\.il’
Our research indicates that in this case, it is the Monero coin that is being mined by the script and that it has vast similarities with the original Cryptonight, the framework used to mine Monero crypto-coin.
Although it is not illegal to not inform of the mining, it would certainly be considered unethical to some users as usage of a crypto-miner can damage browser performance.
For more information and our full report into the bitcoins and cryptocurrencies, please download our guide “Cryptocurrencies: How Safe are They?”
Indicators of Compromise
schemouth\.com
arancefy\.com
3679D8C0F97DB118D5610B40AFDDDF59
2F42015921FD7BEA5D9241BC993E4088