Attackers hijacked 4275 websites to inject Coinhive Monero miner including the websites of government authorities(ico.org.uk), NHS Foundation (nhs.uk), and uscourts.gov. Crypto-Mining Attacks are one of the biggest emerging threats for enterprises. And the recent trend is more mainstream and is done directly via web pages.
One thing in common for all the infected websites is Browsealoud plugin provided by texthelp that adds speech, reading, and translation to the website has been compromised and it’s host scripts was modified.
Hey @texthelp you've been compromised, you need to address this ASAP. Their site also has the crypto miner running: pic.twitter.com/fl0U9ssZRr
— Scott Helme (@Scott_Helme) February 11, 2018
The mining script was first noticed by Information Security Consultant Scott Helme “If you want to load a crypto miner on 1,000+ websites you don’t attack 1,000+ websites, you attack the 1 website that they all load content from“Helme said.
Attackers altered the ba.js file and include document.write call that adds Coinhive crypto miner to any number of the page that loaded in to.
What’s Coinhive?
Coinhive offers a JavaScript miner for the Monero Blockchain that can be embedded into other Web sites. The users run the miner directly in their Browser and mine XMR for the site owner in turn for an ad-free experience, in-game currency or whatever incentives they are availing to their users/visitors.
With further investigation, Helme identified a number of sites have been injected including the government websites of numerous countries.Here is the affected websites list.
Ummm, so yeah, this is *bad*. I just had @phat_hobbit point out that @ICOnews has a cryptominer installed on their site… 😮 pic.twitter.com/xQhspR7A2f
— Scott Helme (@Scott_Helme) February 11, 2018
It's also on @uscourts! pic.twitter.com/UyPjzbEsPw
— Scott Helme (@Scott_Helme) February 11, 2018
Texthelp the plugin provider confirmed it was hacked on 11.14am on Sunday and the hack lasts for four hours. Now the plugin was temporarily taken down by Texthelp.
Texthelp data security officer Mr. McKay said: “Texthelp has in place continuously automated security tests for Browsealoud, and these detected the modified file and as a result, the product was taken offline”.
At GBHackers last November we identified a very popular torrent sharing fake site www.1337x.io added coinhive mining script.
Preventive Measures – Crypto-Mining Attacks
Helme suggested adding SRI Integrity attribute to the website which forces the browser to check the integrity, which allows it to reject the file. He has written an article explaining how to add SRI Integrity Attribute.
If you are a normal user, install AdGuard’s extension on your browser and you will be good to go.
If you are a geek, you would already probably know the trick. Hint: Use script blockers like uBlock Origin.
we suggest our users to be extra cautious while visiting sites on the internet from now on. And if you like some website or a blog and want to support them, you may allow them to mine crypto-currency using your computer’s energy.