If you visit roadrunnernm.com, you may notice one of two things. Either the fans in your computer will start to spin very fast and make a lot of noise or your antivirus will (hopefully) pop a friendly alert that something malicious is going on with your browser. Why? Because unsuspecting visitors to this site are being exposed to a *drum roll* cryptocurrency miner!
Now, roadrunnernm.com isn't a fake company, and the webmaster isn't a malicious actor. So, how is this possible? Was roadrunnernm.com defaced? Actually, the problem lies in a small weather widget that's available on the site.
Firing up Burp Suite, we can see the requests being made through our proxy. The most recent request is made to a subdomain on coinhive.com, which is a glaring problem since I don't remember opting in to use the service. We can look at the previous request to get some insight on where this is coming from.
Ah, well, of course it's minified, because the last thing you want is for your cryptocurrency mining boot script to take up more space than necessary.
A quick WHOIS for weatherfor.us:
Aaand a quick Google search:
Handsome looking guy! Unfortunately, I doubt Mr. Hassan created a weather widget that mines cryptocurrency. ¯\_(ツ)_/¯
The next question is, "How many sites are using this widget?" Well, this is where things get tricky. We can't Google Dork our way into finding which sites are using this because it's in the HTML. Using services like nerdydata.com and publicwww.com, we can tell there are about 300 websites that are using this widget, but we can't confirm most of these because they're hidden behind a paywall.
What do we take from this? Don't install or use untrusted third-party widgets or applications. Simple as that. Also, if you're using the weather widget from weatherfor.us, then maybe it's time to find a new one.