Tuesday, February 11, 2025
HomeCryptocurrency hackAttackers Hijacked 4275 Websites Including U.S. & UK Govt Sites to Run...

Attackers Hijacked 4275 Websites Including U.S. & UK Govt Sites to Run Cryptocurrency Mining Script

Published on

SIEM as a Service

Follow Us on Google News

Attackers hijacked 4275 websites to inject Coinhive Monero miner including the websites of government authorities(ico.org.uk), NHS Foundation (nhs.uk), and uscourts.gov. Crypto-Mining Attacks are one of the biggest emerging threats for enterprises. And the recent trend is more mainstream and is done directly via web pages.

One thing in common for all the infected websites is Browsealoud plugin provided by texthelp that adds speech, reading, and translation to the website has been compromised and it’s host scripts was modified.

The mining script was first noticed by Information Security Consultant Scott HelmeIf you want to load a crypto miner on 1,000+ websites you don’t attack 1,000+ websites, you attack the 1 website that they all load content from“Helme said.

Crypto-Mining Attacks

Attackers altered the ba.js file and include document.write call that adds Coinhive crypto miner to any number of the page that loaded in to.

What’s Coinhive?

Coinhive offers a JavaScript miner for the Monero Blockchain that can be embedded into other Web sites. The users run the miner directly in their Browser and mine XMR for the site owner in turn for an ad-free experience, in-game currency or whatever incentives they are availing to their users/visitors.

With further investigation, Helme identified a number of sites have been injected including the government websites of numerous countries.Here is the affected websites list.

Texthelp the plugin provider confirmed it was hacked on 11.14am on Sunday and the hack lasts for four hours. Now the plugin was temporarily taken down by Texthelp.

Texthelp data security officer Mr. McKay said: “Texthelp has in place continuously automated security tests for Browsealoud, and these detected the modified file and as a result, the product was taken offline”.

At GBHackers last November we identified a very popular torrent sharing fake site www.1337x.io added coinhive mining script.

Preventive Measures – Crypto-Mining Attacks

Helme suggested adding SRI Integrity attribute to the website which forces the browser to check the integrity, which allows it to reject the file. He has written an article explaining how to add SRI Integrity Attribute.

If you are a normal user, install AdGuard’s extension on your browser and you will be good to go.

If you are a geek, you would already probably know the trick. Hint: Use script blockers like uBlock Origin.

we suggest our users to be extra cautious while visiting sites on the internet from now on. And if you like some website or a blog and want to support them, you may allow them to mine crypto-currency using your computer’s energy.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed...

Seven-Year-Old Linux Kernel Bug Opens Door to Remote Code Execution

Researchers have uncovered a critical vulnerability in the Linux kernel, dating back seven years,...

Ransomware Payments Plunge 35% as More Victims Refuse to Pay

In a significant shift within the ransomware landscape, global ransom payments plummeted by 35%...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Malicious Solana Packages Attacking Devs Abusing Slack And ImgBB For Data Theft

Malicious packages "solanacore," "solana login," and "walletcore-gen" on npmjs target Solana developers with Windows...

PHP Servers Vulnerability Exploited To Inject PacketCrypt Cryptocurrency Miner

Researchers observed a URL attempts to exploit a server-side vulnerability by executing multiple commands...

The Defender vs. The Attacker Game

The researcher proposes a game-theoretic approach to analyze the interaction between the model defender...