The use of 3rd Party JavaScript is endemic in websites these days, so not a big surprise that attackers are targeting them, given they've got an application (cryptomining) that can generate a revenue stream.
Unfortunately a lot of companies don't really seem to realise that when they include 3rd party JS they're implicitly trusting the security of that third party. I'd imagine many don't do much in the way of due diligence before including the scripts.
As mentioned in Scott's related blog post (https://scotthelme.co.uk/protect-site-from-cyrptojacking-csp...) SRI is a decent at least partial defence against this kind of thing, but unfortunately it hasn't (in my experience) seem much in the way of takeup as yet.
Are these miners effective enough? I guess, at scale they should have some value but my initial gut feeling would lead me to believe that even a huge botnet can hardly compete with dedicated hardware.
Some cryptocurrency algorithms are designed to be less amenable to acceleration with special hardware, so that CPU mining remains effective. Monero, the one involved in this case, appears to be one such.
They are effective enough at creating a poor user experience, eating all the users CPU without their permission in exchange for government provided text and wasting energy.
Unfortunately a lot of companies don't really seem to realise that when they include 3rd party JS they're implicitly trusting the security of that third party. I'd imagine many don't do much in the way of due diligence before including the scripts.
As mentioned in Scott's related blog post (https://scotthelme.co.uk/protect-site-from-cyrptojacking-csp...) SRI is a decent at least partial defence against this kind of thing, but unfortunately it hasn't (in my experience) seem much in the way of takeup as yet.