Hello, welcome to the Monday, October 2, 2017 edition of the Sanchez, Storm Center's Stormcast. My name is Johannes Orich, and I'm recording from Jacksonville, Florida.

Last week, we reported about Showtime being used in order to host Clineside JavaScript that would mine crypto coins.

The script in particular was created by Coin Hive, and I wouldn't characterize the script

as malicious, but more the use of the script without informing the user.

Now, I do think that video sites are so attractive to these scripts,

because of course the script will run the entire time that you are viewing the video.

The latest instance comes courtesy of Dave Holzer.

He found the script on Onitube.com, in part because it took so much resources

from his system that actually on his Mac, it alerted him that Safari took an exorbitant

amount of power. On video sites, of course, this may cause also problems with the playback quality if your

CPU is busy mining crypto coins and doesn't have any cycles left over in order to decode

video.

Now, this recent script from this weekend was heavily obfuscated.

The Showtime script, at least the samples that I have

seen mentioned from Showtime, were not obfuscated, so there was a little bit easier to spot

that it was actually a Coin Hive script. Now, one thing I noticed with Onitube was that they also

had some suspect advertisements for

flash player updates when I visited with my Mac, so probably not a high reputation site in the

first place.

At OS10 for a while now has marked downloaded files as suspicious and warned users whenever they

executed them.

That included JavaScript files and the user usually gets a pop-up box telling them that this

...