Rogue Developers Blamed for Hidden Cryptocurrency Miner on Websites

Following the article, I wrote regarding Kenya’s Nairobi Wire being caught mining cryptocurrency using the visitor’s CPU, the company responded to us via Twitter and explained that the script was unauthorized and that they pulled it down immediately they learnt about it.

In response to your story, we had already stated on Wednesday that the script was unauthorized. We pulled it down immediately we learned of it. i.e. Tuesday night. We have confirmed that no other mining script is currently running. Between Tuesday and Thursday last week, we had outsourced some maintenance work to an outside developer. It has been our tradition to outsource a big chunk of our design/maintenance work. This means giving outsiders -sometimes foreigners access. We have thus concluded that the said script was installed sometime last week, by our external developer. Nairobi Wire never benefited in any way, and we have now cut links with that particular developer. Out policy of NOT having non-obstructive ads, like pop-up/under remains. This is designed to provide a smooth experience throughout. The mining script falls under ‘obstructive’ ads since it greatly slows down computers and/or can even be damaging to the CPU. We have no plans to use mining scripts now or in the future. If that changes, our readers will be informed and given an option to opt out.

The statement brings to light a few more issues that I will just mention and not dwell on, I promise. Nairobi Wire admits to using foreign developers, as seen here, “it has been our tradition to outsource a big chunk of our design/maintenance work. This means giving outsiders -sometimes foreigners access.” In light of this claim that the foreign developers could have been the perpetrators of the mining code, why didn’t Nairobi Wire take any legal action against the said developer? Their official statement only says, “we have now cut links with that particular developer,” there is no mention of anything to do with taking any action towards the developer. Which is weird, seeing that this said developer has damaged their reputation to some extent.

Memeburn also claimed that they did not know about the script, citing, “We found that a mining tool dubbed coin-hive was using the website to mine cryptocurrency.” Memeburn was alerted about the miner on September 18 but only acted upon it on September 20. Interestingly, Memeburn decided to take down their whole website until they have completely resolved the issue. Memeburn does not even mention who added the code or what action was taken.

It had also been discovered that Business Daily Africa had a similar cryptocurrency miner within its code but our efforts to get an official statement from the company were futile. Out of the companies that have been caught having the code, only Pirate Bay admitted to inserting the code “as a test” and even asked users to vote on whether they prefer ads or giving up a little of their CPU power.

Rogue Developers at Work?

Seeing that the fingers are being pointed at unnamed rogue developers and looking at the trend of how the said miner is popping up on popular websites, this could as well be the work of a hacker. Think of it this way, non-techies would hardly notice that their favourite website is causing the sudden slowdown of their machine. Targeting news and entertainment websites is the perfect plot. These websites get thousands of visitors per month, Nairobi Wire claims that number is closer to a million for them, so such a website is a literal jackpot to a hacker. They could easily inject a JavaScript code that initiates after someone opens the website and without knowledge, the user is making a Russian hacker (stereotype) very happy.

Denis Sinegubko, a malware researcher at Sucuri revealed that most of the websites he found to contain the miner, the code was injected without the knowledge of the site owners. He also realized that most of the affected sites either run on WordPress or Magento. The code was injected either within the footer section or the header section of the target site. “The names of the scripts are made to appear legitimate so that the webmaster doesn’t get alarmed when seeing them. Moreover, a couple of sites we investigated referenced the domain names of the infected sites within the malicious script – making them look even more as if they belong on the sites,” says Denis.

Sucuri’s blog post also shines some light on themes and plugins now including the said mining code, which makes it even harder for the owners to realize what is going on.

CPU Power over Ads

Most of the people who have shared with us their opinion agree that giving up a little bit of CPU power is worth it compared to those intrusive ads that some entertainment websites serve. I agree with them. If a blog or site was honest enough to let me choose to either see ads or let them mine some cryptocurrency through my browser, I would go for the latter.

The problem comes in when the bad guys try to exploit these new technologies for their own benefit. The creators of Coin-Hive, meant for the service to be used by site owners as an alternative to pushing ads. I know not everyone would agree with me, but blogs have to make money one way or the other and seeing that almost all of you are using ad blockers, it was only a matter of time before the creatives came up with new creative ways of making money from their content.