December 19, 2011

Bitcoin Miner with Black Hat SEO Poisoning Campaign


Bitcoin is a peer-to-peer currency exchange system that features a predictable currency rate. The generation of Bitcoin currency is controlled by an algorithm created by Japanese researcher Satoshi Nakamoto in 2008. Bitcoin system users are essentially "mining" for Bitcoins using their computers CPU power. Today, because of the intrinsic characteristics of the Bitcoin-generating algorithm, calculating new "coins" in a reasonable amount of time without the use of distributed computing power is very difficult. It's important to remember that Bitcoins are like real money and can be exchanged for real money. 

During a recent investigation, we encountered a new trend in the landscape of monetization techniques which can be triggered by the Black Hat SEO (BHSEO) poisoning campaign. What happens when BHSEO specialists meet a service offered, for example, by BitcoinPlus which is used for mining Bitcoins? Well, we should never underestimate the cleverness and the imagination of cyber criminals.  Specifically, we have encountered the presence of an array of Websites that have been setup for BHSEO purposes and that are used for Bitcoin mining.  

Basically, this is the goal of BHSEO poisoning: reach a user for malicious purposes when that user is looking for something via a search engine.There are many ways to create a BHSEO campaign (or structure). The one most often used consists of creating and renaming a Website HTML page to be a popular keyword. So a global celebrity gossip news item can be a gold mine for anyone who wants to build a BHSEO campaign. This technique is frequently used to spread malware or some other kind of malicious content. 

BitcoinPlus offers a service  which allows a registered user to mine "coins" using some JavaScript that is added to their Website. This essentially means that the computer's CPU power of any visitor of such Website will be used to generate Bitcoins for the Bitcoin account owner. 


The code, provided by BitCoinPlus, is shown in the following screen shot, this is the code that is included in the BHSEO Website to generate Bitcoins:


Essentially the code requires the support of the minimal jQuery library, the call to the mining JavaScript code, and the registration of the BitcoinPlus user account. The following Java applet shows the miner.js call:


A brief analysis of this JAR file shows the code that calculates the amount of time necessary for any Web client visit to mine Bitcoins, as shown in the following code snippet: 


Up to this point, nothing illegal has happened.  But what would happen if this script is used for malicious intent? During our analysis using the Websense ThreatSeeker ™ Network, we detected several Websites setup with the JavaScript snippet shown above. The screenshot below shows some of the Websites that are part of the BHSEO campaign, explained earlier in this blog:  


The keywords relate to a variety of topics: adult content, electronic devices, hacking, software, and so on.  We tried to load one of the Web links detected, and the HTML page appeared to display the information that a user might expect. At this point, an array of squares appeared, and took some time to download completely. (Remember that a Bitcoin user would already be logged in and using the BitCoinPlus services to mine Bitcoins.)


Once the content of the squares is loaded, another download begins (again a time-consuming activity and delaying tactic to permit the "mining" of the Bitcoins the user has collected). 


A user who clicks the black square (to download the "required video player") actually downloads a rogue player. The user counter offered by Among.Us (the red square on the left with the number 135) indicates an average of 140 users per hour for this Website.


If we examine the user counts in the Among.US counter over time, we can see peak counts of up to 490 users for the Website we analyzed. 


One reason that such a large number of visitors can be accommodated could be the use of an automated system (maybe a botnet) to easily create a monetization process with click-jacking activities. The "coins" mined from unsuspecting users are just like real money and can be used for other frauds and malicious activities. This type of cyber fraud could become a larger issue, and difficult to explain in just one blog post. 

At this time, the script in the Web page we analyzed is commented. However, via ThreatSeeker we have detected about 10000 URLs where the injected script seems to be active. Many of these URLs are related to Web and email spam and malicious Web sites and reside in low reputation autonomous systems, as shown in the following results: 


Recently, we discovered some binary bots created ad hoc to steal the Bitcoin wallets from infected systems. Although Bitcoin mining is not malicious by itself, we can see that the practice can be used to entice users to visit pages that do not contain the contents they were looking for, which could be considered fraudulent activity.


Websense customers are protected from these threats by ACE, our Advanced Classification Engine.


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.