CBS Showtime Caught Secretly Mining CryptoCoin Visitors Web Browsers.
Over the weekend, a user on Twitter pointed out that two of Showtime’s websites had a script running in the background that’s used to hijack visitors’ CPUs to mine cryptocurrency. Other users and outlets later confirmed that the code was present. Now it’s gone, and Showtime refuses to answer questions.
It turns out torrenting platforms are not the only ones toying with alternative methods to convert traffic to cash. A week after The Pirate Bay admitted to secretly running a cryptominer to borrow visitors’ CPU resources to bank on Monero coins, television giant CBS was caught doing the same with Showtime.
Cryptocurrency miners have been in the news recently because The Pirate Bay caught some flak about a week ago for testing out a new service called Coinhive without informing users. The Coinhive miner uses the website visitors’ extra CPU power to generate a cryptocurrency called Monero (it’s like bitcoin but more private). This isn’t necessarily a nefarious thing to do. Coinhive is trying to present itself as a novel and legitimate way for websites to make some money from visitors. The company takes 30 percent of the Monero that’s mined by users’ CPUs and the website keeps the rest. It could be a nice way to avoid advertising—but it’s not cool to do this without getting users’ permission.
If Showtime intentionally included the script, it would be a less worrisome situation. As we said, this code isn’t necessarily bad, it just takes up some of your processing power. But even though Coinhive is just a couple of weeks old, researchers have found that malware developers have quickly begun to add it to their toolbox of scams. Coinhive doesn’t endorse that kind of usage and has explicitly voiced its disapproval for using its service without notifying users.
The comment around the script in the code refers to New Relic, which is also the name of a web analytics firm. We reached out to the firm to ask if they had any knowledge about the situation. A spokesperson declined to confirm what relationship New Relic has with Showtime, but denied the code was inserted by one of their workers:
We take the security of our Browser Agent extremely seriously and have multiple controls in place to detect malicious or unauthorized modification of its script at various points along its development and deployment pipeline. Upon reviewing our products and code, the HTML comments shown in the screenshot that are referencing newrelic were not injected by New Relic’s agents. It appears they were added to the website by its developers. Given that this block was not injected by the New Relic agent, we have nothing further to comment.
In the end, we don’t really know what’s happening here. Both Showtime and New Relic don’t want to talk about it.