One of my desktop PCs has been running frustratingly slowly – almost Tortoise-like enough to have me sat with my head in my hands, listening to the weird, interrupted noises burping from the speakers as iTunes point blank refuses to stop trying to stream music while I dejectedly click ‘x’.
I blamed the kids, of course. A herd of mini tech users who are already learning code at a pace which excites me for their bright futures yet fills me with dread. Mainly due to their inherited genes and the power of nurture – on my side. Stubborn, awkward, little clones with infinite power and a will that may never be broken can only lead to the shut down of the internet the world needs. Or Skynet.
I assumed, as a parent would, the IT problem had come from one dose too many of DanTDM, or perhaps a virus picked up from a My Little Pony fan page. I was wrong, it goes almost without saying.
I Googled for a while, having checked my CPU usage and found it almost at 100% whenever my browser was open, then ran my usual antivirus/malware checks and quarantined a few wee beasties. For me, at least, this cured the problem and I apologised to the children the same way I had accused them: in my head without saying a word out loud. Because I am the soft touch in this house.
With the computer fixed and the search engine results still open, something caught my eye.
A few days ago, all of the major news outlets reported an outbreak of crypto-currency mining malware which had infested websites, using countless unwitting computer owners’ internet acitivity to harvest secret currencies similar to Bitcoin, without the victims ever being aware their computer had been used.
The main reports raised the alarm that visitors to government websites had been attacked in this way but the truth, if you dig a little deeper, appears to be the infection may well have been in browser extensions or adverts.
This got me thinking, in the dangerous way often I do when left unsupervised in the house at night.
“This sounds like fairytale stuff, until you look at the one country where dark economy is king: Russia.”
I suppose the first thing to explain is the reason CPU or power usage is relevant.
The answer, according to technical bods from IBM to Trend Micro, to Microsoft, appears to be that it is simply a way to borrow processing power to make money.
I think it’s in one of the IBM technical papers – though I might be remembering wrong – where they estimate a single computer could generate just over $2 a month, by lending its processing power to a so-called Bitminer harnessing the power of your computer through your web activity. When you start to scale this up to automated networks of tens of thousands of computers doing the same thing, well: it’s a profitable game. Probably explains the cryptocurrency value explosion too.
The only symptom you’d really notice is your computer going slow and, if you used your system tools to check, you’d see CPU usage spike while on an infected site.
This is relevant for a second reason, by way of explanation around the power demands of crypto-currency: it’s greedy you see.
On your own PC, such a spike would increase the electricity usage by your computer – something which would be reflected in your bill or on your Smart Meter. Out in the big, bad world of the crypto dark economy it’s even scarier.
Largely unsubstantiated estimates have started to surface that what has become the world’s most profitable currency could use up all of the world’s energy resources by 2020. Iceland, a country which is a champion of crypto, is subject to a warning it could run out of power as a nation in the near future.
This sounds like fairytale stuff, until you look at the one country where dark economy is king: Russia.
“…one oligarch actually bought two power stations purely for firing up his bitmining operations.”
Nuclear scientists have just been arrested by the FSB at a government research facility for using super computers to mine cryptocurrency – because it was the only place which would meet their power needs. In other news, one oligarch actually bought two power stations purely for firing up his bitmining operations.
I’ve spent a lot of time learning things I wish I didn’t know, even pegging the NotPetya cyber attack as Russian as it happened in June 2017 – only acknowledged by UK security services February 15 2018. And, while this is a personal hypothesis for now, it’s distinctly possible the Kremlin’s strategic positioning on oil and gas reserves across the globe make more sense if you apply the logic they need it to get rich. In private.
It also makes sense of why climate change denial is so important, and why so much of that comes through Kremlin disinformation channels.
I mean, Russia has a ridiculously small GDP on paper, but its investment in the military, weapons and vehicles, hybrid warfare, technology – and the rest – is handing the arse to the rest of the world, where such spending has been in decline.
Further, the Russian billions laundered across the globe have all but been shaken down, killing the method as safe and undetectable. Party well and truly pooped.
To me, at least, it makes sense to have a better plan. One which nobody can really do anything about.
Crypto provides exactly that answer and Russia would have increased the value of its dark GDP exponentially over the last year. If I wasn’t just hypothesising of course.
If it was me, I’d be doing it.
Anyway, back to the rabbit hole. Or Bitface, if you prefer.
“This practice, it turns out, is called Crypto-jacking.”
While I was rubbing my temples, an idea popped into my head about the kind of sites I felt may be well placed to plant bitmining malware upon. Something viral. Something which is now commonplace. And, suddenly, an idea popped into my head: what if fake news and clickbait sites are dual purpose?
Could it be that the explosion of disinformation wasn’t just to confuse and divide the public, destroying the value of truth, but the real joke was they were making money way beyond ad revenues too?
I let my brain run away at first, going straight to the fake news and disinformation channels we know and hate best: Breitbart, Infowars, Westmonster, and RT – but, checking those sites on whoismining.com came back a bust.
I decided to double check though, and added Minerblock and Adblock to my browser and visited the sites again. No joy on bitmining, but a shed load of adverts were blocked across the sites with the exlcusion of RT – which is directly Kremlin-funded because it’s part of the foreign office and espionage services.
Nonetheless, something in my brain was sparking and I just couldn’t let it go. I was buzzing around with ideas of sub-domains and DNS and other such exciting sounding things. Because I am a nerd. An excitable, cynical, analytical nerd.
So, I went back to the search engine and that’s where I found Pixelate and their November 2017 list of sites which have been confirmed as crypto-mining with Coin-Hive.
There are almost 5,500 web addresses on the list and, as they point out: ” In many cases, users don’t know or consent to share their CPU, and they typically don’t receive any of the monetary benefits. Coinhive is one of several services which offer JavaScript that can mine for cryptocurrency without the users’ knowledge or consent.”
This practice, it turns out, is called Crypto-jacking.
Within the first five minutes of looking at the websites, I’d confirmed my what if.
“…eurnews.eu and newsaline.co.uk were not only publishing blatantly fake
news stories, but both contained the exact same content. MineBlocker was
activated immediately on both sites…”
Opening the Pixelate document, and using nothing more complex than a text search, I isolated 34 bitmining websites with the word “news” in the domain name, covering all manner of countries and topics:
24daysnews.com
allterranews.com
allworldmagazinenews.com
dtecnews.altervista.org
ilfaronews.altervista.org
anonews.cc
appliftonews.ru
thenewszilla.blogspot.com
ispot-news.bq.si
piratestreaming-news.bq.si
ru.citynews.technology
diginewsfeed.com
edmnews.it
eurnews.eu
hotpaknews.com
instantbestnews.com
jerusalemconstructionnews.com
mintounews.com
moon-news.eu
motorcyclenewsy.bid
newsaline.co.uk
newsinside.org
pubgnews.ru
reigningnews.com
setenews.com.br
news.tagmyride.mobi
technewscode.com
tiinews.com
toptechnews.club
usvnews.com
videonews.pp.ua
viralnews2u.net
wildlifenews.co.uk
news.ycornbinator.com
Giving them a random dip sample, news.ycornbinator.com, was instantly blocked by my browser as unsafe.
Wildlifenews.co.uk, thankfully, showed no signs of current infection, indicating it has been cleaned up – meaning at least the elephants are safe.
In other checks, I saw eurnews.eu and newsaline.co.uk were not only publishing blatantly fake news stories, but both contained the exact same content. MineBlocker was activated immediately on both sites, confirming they are still actively cryptojacking.
The sites come back to a domain wholesaler. A deadend.
Disturbingly, in amongst the porn and ads, fake news and clickbait, I also found babyproducts-reviews.co.uk, a basic search site which is still bitmining, but also features a number of blocked adverts too.
A Whois lookup provided no immediate data as to the site owner.
Worse still, this site, bitmining without consent, appears on the first page of Google listings if you enter the search terms “baby product reviews uk.” It is accompanied by legitimate sites and there is no way for a user to distinguish between them.
Looking beyond the immediate leap-outs, noting an almost endless amount of the sites were also not traceable beyond domain wholesalers, it became apparent some of the sites were groups of subdomains.
t30p.ru was one example of a master domain – in effect an aggregator of fake news and clickbait – with a number of fake news, click bait, and ad sub-pages, all carrying the bitmining lurgy. This particular Russian example featured 21 sub domains.
ads.t30p.ru
podarok.t30p.ru
horoscope.t30p.ru
video.t30p.ru
sputnik.t30p.ru
sdelanounas.t30p.ru
jewel.t30p.ru
eda.t30p.ru
promo.t30p.ru
facebook.t30p.ru
ukraine.t30p.ru
rating.t30p.ru
biography.t30p.ru
doctor.t30p.ru
sport.t30p.ru
youtube.t30p.ru
blog.t30p.ru
topic.t30p.ru
syria.t30p.ru
food.t30p.ru
sputnikpogrom.t30p.ru
A random check of
sputnik.t30p.ru, which was put through Google’s page translate feature, reveals a site which claims to be: “an American-Israeli information project on ridiculing the revolutionary situation in Russia in 2014. He actively publishes unique materials with the aim of provoking national hatred among the Russian-speaking people.”
So, there it was.
Fake news and disinformation being used to mine cryptocurrency through often legitimate looking websites achieving first page results on search engines. Without anyone’s knowledge.
“…
we have no idea what is buried in the ad links of the more – and I wince
saying this – “legitimate” fake news websites. Nor do we have a clue
just how many of those shortened URLs we all see shared on social media
lead to Bitmining attacks.
“
As I set down the spreadsheet, rather than trying to look through every single one of the thousands of lines, it struck me that we have no idea what is buried in the ad links of the more – and I wince saying this – “legitimate” fake news websites. Nor do we have a clue just how many of those shortened URLs we all see shared on social media lead to Bitmining attacks.
As I finally managed to click ‘x’ on a program and watch the window actually close, it struck me the Pixelate list was already four months old.
Even if those sites only managed one hit a month, somebody, somewhere, could have pocketed a neat $44,000. Without the overheads of a power station.
What the true cost of all this is to the world’s energy reserves is unquantifiable. At least not to me – and the children are all in bed, along with the brains in my relationship, so I’ve nobody to ask.
“If I was a hostile world superpower, with some kind of technology like CrashOverride
– a viral, Russian payload which has been used to knock Ukraine power
grids offline – I’d have probably linked it to money making too.”
It strikes me, however, that – as well as pinching oil and gas supply through strategic military and espionage actitivity – it wouldn’t be a bad idea to have a way to suck what remaining power an adversary had in their grid up your sleeve.
If I was a hostile world superpower, with some kind of technology like CrashOverride – a viral, Russian payload which has been used to knock Ukraine power grids offline – I’d have probably linked it to money making too. Attached a cryptojacking payload to a delivery mechanism such as Eternal Blue used in the Wannacry or NotPetya attacks of 2017.
If I was Russia, I’d have designed a critical infrastructure attack which knocks out power by making money.
You know, just to take the piss.
Sweet dreams.