We usually receive malicious and suspicious files or web links via email. In this case, the submission consisted of a photo which showed an "ad banner" printed on paper. It advertised mining cryptocurrency using a browser. The use of browser plugins is not a new invention. What is new, though, is the fact that this method is advertised "offline", outside the internet. An alert reader of our blog sent us the picture, asking us to take a look at what was going on there. Naturally, with us being curious by nature, we could not resist.
In our blog, we have also covered current trends in cryptomining in the past. In a nutshell, users share the computing capabilities of their PCs for mining Bitcoin or another cryptocurrency. Ideally, this happens with the knowledge and consent of the user.
All clear - for now
The notice addresses users of Chrome and Firefox in particular. They should use the provided link to install an add-on in their browser in order to mine Bitcoins "without any risks and free of charge". We have taken a closer look at the advertised add-on called "Cryptotab". The good news is: we could not find evidence of foul play (as of May 30th, 2018). The add-on does not appear to contain malware. One could argue, though, that one of Cryptotab's additions could be classified as a "potentially unwanted program" (PUP). On the other hand: a user must actively install this optional module. Furthermore, the notice also contains a QR code which points to a registration site. This link will be important later on.
All things considered, everything should be perfectly fine, right? Yes and no. While the Cryptotab add-on itself odes not contain harmful components, there are two things that stick out. For one, when installing the add-on, the user is also asked if he would like to install a component called "mybit". Mybit is a custom search engine as you would find in Firefox (see screen shot). When installing the add-on and performing a search using mybit, the user is redirected to the search results of the Yahoo search engine.
It is unclear what happens with the search terms that are entered and we are limited to conjecture here. The only thing that is certain is that any data entered into the mybit search field is sent to its makers.
If you are now wondering why someone takes to using paper notices to get people to use the mining add-on, you're in good company. We have been asking ourselves the same question. The answer to this question lies in the QR code which is printed on it and on the website of the add-on's provider. The provider uses a so-called "affiliate marketing" strategy. If someone successfully manages to acquire a new user for the add-on, he or she receives a commission of 15 per cent of the cryptocurrency mined by this user (although the website lacks information about the time span the commission is based on). To receive the commission, the advertiser must ensure that the new customer uses this specific and unique link to register. This is what is contained in the QR code.
So, this type of advertising is not based on pure philanthropy. Still, we would have expected this type of advertising to be a purely internet-based model - and not one found in the parking lot of a supermarket.
Our verdict: Curious and interesting, but not really dangerous.
Affiliate Marketing is a primarily internet-based sales method, where a partner (called an "affiliate" in this case) advertises a certain product or service. Depending on the model, they are provided with a unique link or ad banner which they can distribute as they see fit. If someone uses the affiliate's link, the company knows that this visitor has been directed to their website by clicking that particular affiliate's link or banner. The commission that an affiliate receives can be based on different factors. A commission might be paid if the visitor subsequently buys something from a shop (this is a model frequently used by Amazon, for instance). Other models might pay the affiliates based on whether a certain program is installed ("pay per install") or if a new user successfully registers for a service ("pay per registration").