Crypto the New Way to Screw your Users


This is the web in early 2018, not only any web page shove MegaBytes of “content” in your browser face (guess how many of those 20MB+ are real content? not much…), make hundreds of request to different domains (advertising, trackers, etc.), autoplay that HTML5 video right in your face, pre-load tons of “Content You May Like”, and if all those were not enough there is more …

Today you have crypto, and I’m not talking about cryptography, oh noooes.

Crypto aka cryptomoney and the bitcoin-like mafia, and they came with a great brand new way to fuck the users, it is called cryptojacking

What is cryptojacking?

Cryptojacking is defined as the secret use of your computing device to mine cryptocurrency.

Cryptojacking used to be confined to the victim unknowingly installing a program that secretly mines cryptocurrency.

Here’s the bad news…

In-browser cryptojacking doesn’t need a program to be installed.

Oh that does not concern me you say? you don’t go on dodgy web sites right?

No need, it’s right here anywhere advertising can play.

Now even YouTube serves ads with CPU-draining cryptocurrency miners
Ad campaign lets attackers profit while unwitting users watch videos.

YouTube was recently caught displaying ads that covertly leach off visitors’ CPUs and electricity to generate digital currency on behalf of anonymous attackers, it was widely reported.

Word of the abusive ads started no later than Tuesday, as people took to social media sites to complain their antivirus programs were detecting cryptocurrency mining code when they visited YouTube. The warnings came even when people changed the browser they were using, and the warnings seemed to be limited to times when users were on YouTube.

but hu ho? that must be Flash fault right ?

Not this time, I told ya long ago that the same crackers that abuse Flash would move to JavaScript, because it is always the same scenario, they go hack what is more popular, and what is popular today is JavaScript and cryptocurrancy.

And even big players like Google have no way to protect their networks from that.

Hackers Abuse Google Ad Network To Spread Malware That Mines Cryptocurrency

More than a decade ago Google bought DoubleClick, one of the first major advertising services on the Web, for a cool $3.1 billion. That acquisition is a major reason that Google is such a dominant force in online advertising today.

It’s estimated that Google’s ad network reaches about a quarter billion unique viewers in the U.S. alone. With access to that many computers, it’s no wonder cybercriminals are abusing DoubleClick in order to distribute money-making malware. The malware’s goal: to mine cryptocurrency on infected computers and funnel earnings back to its criminal controllers.

see no Flash involved, it’s all JS.

Also those crackers have some humour

To add insult to injury, the malicious JavaScript in at least some cases was accompanied by graphics that displayed ads for fake AV programs, which scam people out of money and often install malware when they are run.

so what Google had to say about that?

Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.

It wasn’t clear what the representative meant when saying the ads were blocked in less than two hours. Evidence supplied by Trend Micro and on social media showed various ads containing substantially the same JavaScript ran for as long as a week. The representative didn’t respond to follow-up questions seeking a timeline of when the abusive ads started and ended.

yeah it does not seem to be clear … LOL

Oh sweet irony of wanting to kill Flash because it is so unsafe for the users, so you can push your not so hidden agenda to only use HTML5/JS to display ads, and then that very same tech is highjacked to mine bitcoin with your users CPU, yeah JavaScript is so much safer.

Still you don’t see anyone yelling “kill JavaScript”, or more exactly “kill advertising”, it is a respectable business after all, only Flash is bad and deserve to die, and in fact it is already planed in 2020.

For the record, you could also mine bitcoins with Flash
see Flash-Player-Bitcoin-Miner and Bitcoin-flash-as3-miner.

But it does not stop here, while some people experiment by replacing advertising with cryptojacking while telling you: “We swear we will not use more than 30% of your CPU” (LOL), others think: “hey why not replace in-game purchase with crypto?” and they did

Here come CryptoKitties (not even kidding here, that’s the name)

People have spent over $1M buying virtual cats on the Ethereum blockchain

Launched a few days ago, CryptoKitties is essentially like an digital version of Pokemon cards but based on the Ethereum blockchain. And like most viral sensations that catch on in the tech world, it’s blowing up fast.

Built by Vancouver and San Francisco-based design studio AxiomZen, the game is the latest fad in the world of cryptocurrency and probably soon tech in general.

People are spending a crazy amount of real money on the game. So far about $1.3M has been transacted, with multiple kittens selling for ~50 ETH (around $23,000) and the “genesis” kitten being sold for a record ~246 ETH (around $113,000). This third party site tracks the largest purchases made to date on the game. And like any good viral sensation prices are rising and fluctuating fast. Right now it will cost you about .03 ETH, or $12 to buy the least expensive kitten in the game.

So now we have people using Ether, an asset with arguably little tangible utility – to purchase an asset with unarguably zero tangible utility. Welcome to the internet in 2017.

And also 2018 … because, off course, it not gonna stop soon, like any bad thing it spreads like cancer.

This man has made more money trading cryptokitties than investing in his IRA

Todd is a 30-year-old entrepreneur and software designer from Austin, Texas. He’s also been the owner of 35 cryptokitties, an extension of his broader enthusiasm for cryptocurrencies. Todd first bought around 5 to 10 bitcoin in 2012 (he doesn’t remember the precise amount), when the value of each coin was a little over $10. He also grew interested in ether after its emergence in 2015 and bought the majority of his ether last year. In total, he has 21.5 bitcoin, 305 ether, and a smaller percentage in other cryptocurrencies.

Todd’s been similarly lucky with cryptokitties. His big break came when he purchased an OldLace cat for 12 ether, or around $4,800 at the time of purchase, and later saw the value of the cat rise to approximately 30 ether. “There is kind of a barrier to entry, unless you have like 5 ether to get started with, it’s pretty hard to break in,” he says. “It’s really hard to get going unless you acquire one of the more valuable cats.”

oh … here the 3 alarm bells

  • the guy’s name is Todd
  • he is an entrepreneur
  • he invested $4,800 in a virtual kitty

I guess it is much better than buying a $99 in-app item (duh!).

Here what I know: don’t screw your users.

Abuse your users with too much advertising and they will use ads blocker.

Same for in-app purchase, cryptojacking, in-app crypto, etc.

Users are not stupid, they do know when they are abused and they will retaliate by either blocking your “smart” ways to abuse them or simply not install/use your apps.

Another way to screw with your users is to force feed them a Software Reporter Tool
and who would do that? well … Google

and here how the users react to it
How to block the Chrome Software Reporter Tool (software_reporter_tool.exe)