The use of 3rd Party JavaScript is endemic in websites these days, so not a big surprise that attackers are targeting them, given they've got an application (cryptomining) that can generate a revenue stream.<p>Unfortunately a lot of companies don't really seem to realise that when they include 3rd party JS they're implicitly trusting the security of that third party. I'd imagine many don't do much in the way of due diligence before including the scripts.<p>As mentioned in Scott's related blog post (<a href="https://scotthelme.co.uk/protect-site-from-cyrptojacking-csp-sri/" rel="nofollow">https://scotthelme.co.uk/protect-site-from-cyrptojacking-csp...</a>) SRI is a decent at least partial defence against this kind of thing, but unfortunately it hasn't (in my experience) seem much in the way of takeup as yet.
Related tweet <a href="https://twitter.com/fransrosen/status/962709013329670145" rel="nofollow">https://twitter.com/fransrosen/status/962709013329670145</a><p>"Same attack as described here: <a href="https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/" rel="nofollow">https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s...</a> … it's scripts hosted in a S3-bucket without proper access controls"<p>Edit. Also see <a href="https://scotthelme.co.uk/protect-site-from-cyrptojacking-csp-sri/" rel="nofollow">https://scotthelme.co.uk/protect-site-from-cyrptojacking-csp...</a>
Are these miners effective enough? I guess, at scale they should have some value but my initial gut feeling would lead me to believe that even a huge botnet can hardly compete with dedicated hardware.