Researchers said they found cyptojacking code hidden on the Los Angeles Times’ interactive Homicide Report webpage that was quietly harnessing visitors’ CPUs to mine Monero cryptocurrency.
The cryptojacking incident was found by Troy Mursch, a security researcher at Bad Packets Report, on Wednesday. He said the cryptominer has since been killed off. The cryptominer in question was made by Coinhive, a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content.
Coinhive’s JavaScript miner software is often used by hackers, who secretly embed the code into websites and then mine Monero currency by tapping the CPU processing power of site visitors’ phones, tablets and computers.
Mursch told Threatpost that in the case of the LA Times the miner was throttled so that it had a reduced impact on visitors’ CPUs and would be harder to detect. Typically, cryptojacking attacks are not throttled and use 100 percent of the target’s CPU. As a result victims can sometimes experience overheating of their phone or computer as their device gets bogged down by an over-taxed processor.
“Depending on the throttle amount, the impact [on visitors’ CPUs] can vary greatly,” Mursch told Threatpost. “In the case with the LA Times website, it was throttled so low the average user probably wouldn’t notice it running in the background.”
That method appeared to have worked and kept the code secret for awhile. Mursch estimates the cyptojacking JavaScript code was hidden on the website since at least Feb. 9.
Mursch said he found the code after investigating an LA Times’ Amazon AWS S3 storage bucket that was misconfigured and giving anyone – including criminal cyptocurrency miners – the ability to write code to the server and the Homicide Report website.
The LA Times did not respond to a request for comment.