New drive-by cryptocurrency mining scheme persists after you exit your browser window

A practice referred to as drive-by cryptomining has increasingly attracted attention in recent months as a relatively new way for bad actors to generate cryptocurrency. The practice works by leveraging the CPU resources of visitors to websites that have either been hacked or are otherwise malicious, potentially tapping into the power of millions of PCs. The one catch, however, is that the mining only persists as long as someone is on the website, stopping the second a visitor navigates away from the malicious page. A new technique recently discovered by researchers, however, allows for persistent drive-by cryptomining even after someone has left the website or otherwise exited the browser window.

Described by researchers at Malwarebytes (opens in new tab) (via Ars Technica), the new method discreetly opens a pop-under window that hides behind the clock on the Windows taskbar. Once open, the window sits there, continuing to mine cryptocurrency while eating up CPU resources in a way so as not to attract attention from most users. From Malwarebytes:

This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the "X" is no longer sufficient. The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser's icon with slight highlighting, indicating that it is still running.

Interestingly, while CPU usage spikes to above 50 percent while the window is open, the code at work has been designed in such a way as to not max out CPU activity, ensuring that it is more likely to go unnoticed.

Hidden Cryptomining

The researchers observed the technique working with the latest version of Google Chrome on Windows 7 and Windows 10. As for other browsers, the firm says "results may vary." As Malwarebytes suggests, it might be wise to keep an eye on task manager to make sure no extra browser processes remain running after you've exited the window. If a window is running, the browser's icon should remain highlighted on the taskbar as well.

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl

7 Comments
  • Go Chrome. 👍
  • I shut my computer down when not using it. NVMe SSD, so it boots almost as fast as it wakes from sleep. If I leave the room for 10 minutes, it still gets shut down. Shut down is the new sleep for me. No use wasting any power of running my silicon at all of I'm not using it.  Microsoft needs to go the Apple route and build security features directly into their browser. This is absolutely NOT something that should be left to third party developers. Tracking protection and content blockers should be basic out of the box features. The web space is as dangerous as the desktop binary space. Windows Defender is not enough. 
  • Chrome is Google's browser, not Microsoft's.
  • You might want to test if the computing power for shutting down and starting up again might exeeed 10 minutes of Idle time. It's very likely (yet i won't bet on it).
  • Proper browsers already have all the protections you mention. Chrome is not one of those.   edit: Besides... Microsoft was the first company to build protection into their browser.
  • Why are pop under windows even allowed? Why would Windows allow a window to be positioned lower than the task bar?
  • Because if that bottom area of the screen is blocked from access nothing could ever use the full resolution of the screen. If you lock everything down, you can do very little. Welcome to reality. It bytes.