Popular sites infected with skimmers and cryptominers

According to experts from Palo Alto Networks, malicious activity was detected on some of the highest traffic sites.


According to a study by Palo Alto Networks specialists, a large number of popular sites from the Alexa top 10,000 are infected with cryptocurrency miners and skimmers (scripts that steal bank card data).

Alexa is an online service that evaluates and ranks websites based on their popularity, traffic, and other factors.

According to specialists from Palo Alto Networks, malicious activity was detected on some of the sites with the highest traffic, in particular cryptominers and skimmers. The following domains are affected by the problem: libero [.] It (a number of Italian sites offering various services, including email, search engine, news portal, etc.), pojoksatu [.] Id (Indonesian news resource), www [.] heureka [.] cz (the largest e-commerce platform in Central and Eastern Europe) and zoombangla [.] com (a Bangladeshi news source).

At one time, the legitimate service Coinhive provided JavaScript cryptocurrency miners capable of generating Monero right in the browser. That is, the script could control the use of the CPU and the number of threads created for mining. However, due to abuse by cybercriminals, Coinhive has been shut down.

As reported in a report by Palo Alto Networks, there are currently two sites still serving the Coinhive miner - coinhive.min.js and JSEcoin. The problem affects users when they enter a site infected by a miner. In this case, their CPU usage increases significantly.

The researchers also identified several cases of malicious links being embedded in advertisements on popular websites. In particular, an advertisement with links redirecting users to a malicious site that infects users' systems with a JSEcoin script was found on the used car website

Although the JSEcoin scripts are still working, cybercriminals can no longer receive the cryptocurrency they generate since the service was shut down in April this year.

Online skimmers are used in the so-called Magecart attacks and intercept bank card data entered by users in the browser. The researchers noticed that in the code of the online store websites that sell various products, there are links that download obfuscated skimming scripts. This means that attackers can load scripts onto a page, hiding them behind redirect pages hosted on a compromised domain.

All News

Scroll top