It sounds like a cross between a slightly terrifying violent gang activity and a silly metaphor for drugery. Actually, that’s about right.

Let’s start with the cryptomining part. For the uninitiated, Cryptomining is the process of doing computing work to earn cryptocurrency.

The basis of cryptocurrency is a shared cryptographic ledger. You need a lot of computing power to process the transactions in the currency. The ecosystem survives because the processing necessary for the currency to work is rewarded with payouts of that same currency. As more people adopt the currency, more computation is needed to process transactions. That’s fine, though, because as more people adopt the currency, more people want to mine it. That’s why the recent spike in the value of Bitcoin and variants has led to a massive boom of people building cryptomining operations in regions and countries where power is cheap.

So, what’s the drive-by part? Some clever souls devised a way to mine Monero (a cryptocurrency) in javascript. Wait, wat? You heard right. Javascript in a browser. Now we’re just being silly, right? That sounds more like a drive-by fruiting than a drive-by shooting. 

driveby fruiting

How can that be a thing? It may have started out as a legit idea (although, there’s some indication that the desire to misuse the technology preceded the technology itself).

 

Here’s how it was supposed to work:

You browse to a site and while you’re visiting that site your computer is earning the site owners cryptocurrency. It’s like a microtransaction. In theory, a website could be self-supporting because every user of the site mines currency for the site while they’re using the site.

This is the third alternative to your standard “Ads or pay me” model:

1) advertising backed

2) paywalled

3) some other way to profit

Wait, back up. Javascript? I thought mining bitcoin was no longer profitable on regular hardware? Like, don’t you need crazy FPGAs, or GPU farms or even custom made ASICs?

Yep.

So, mining monero in a browser is totally inefficient, but also who cares? It’s not your power… Wait. It is your power.

OK, but doesn’t the javascript only run while the page is open?

Yep.

So, I earn for the site while I’m using the site. My machine runs a little hotter while I’m there. Seems fair.

But a way better model (for the person making the money) is to keep mining after you’ve left the page. Alright, how do they do that? An invisible pop-under page hiding behind the task bar. Sneaky! OK, but people will just avoid my page now, right? Or never find it to begin with? Sure, but there are all kinds of shady malvertising networks. And get this, why serve the ad or make the content when you can hack a site and serve it from someone else’s computer? Now there’s incentive to scan the web and compromise unpatched sites. The UK government recently had thousands of web servers compromised by an infected plugin and started serving cryptomining code to unsuspecting users (yikes!).

So, whatever, somebody’s milking a bunch of web browsers a little bit, or a lot. But these are small potatoes.

Yeah, small potatoes and a big pain.

The leading cause of phone battery life regression during software updates are increased CPU usage. Imagine a piece of software specifically designed to milk your device of all available CPU. Not a pleasant user experience, and not a long one either. And the worst case scenario, aka unthrottled mining, might not actually be the worst case after-all. At least you can catch that. If the miner is able to throttle, it might stick around for a long time before you figure it out.

 

How can I protect myself?

It’s malicious javascript so website owners protect themselves the usual way – patching and hardening their sites and reviewing the modules you import. Hint: don’t import random wordpress modules from unknown sources.

Web users are affected via malvertising networks. It’s probably pretty straightforward to avoid the dark parts of the internet where those networks operate. Many ad-blockers block those networks anyway (hooray for ublock origin, although it doesn’t solve the ‘ads or pay me’ dillema).

Mobile users are compromised by infected apps and redirects from infected sites. Installing that gray market app store is starting to sound like not such a good plan anymore, right?

But what about when the UK government serves it? I think you’d just have to notice that your machine load just increased dramatically, pop open the process viewer, find the process using 95% CPU, and kill it. Seems like we’re all going to have to step up our security game because This. Never. Ends.