Thousands of websites including ones run by the US and UK governments secretly hijacked browsers to mine cryptocurrency thanks to a compromised plugin.
According to the Register, all of the afflicted websites ran British tech company Texthelp’s Browsealoud plugin, which reads out websites for people with visual impairments like full or partial blindness or conditions like dyslexia. It’s unknown at this time whether the someone external to the company was able to compromise the plugin or an insider decided to hijack it for fun and profit, but the list of websites is pretty extensive:
A list of 4,200-plus affected websites can be found here: they include The City University of New York (cuny.edu), Uncle Sam’s court information portal (uscourts.gov), Lund University (lu.se), the UK’s Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner’s Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), plus a shedload of other .gov.uk and .gov.au sites, UK NHS services, and other organisations across the globe.
Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.
The afflicted pages ran a Javascript-powered Monero miner from Coinhive, the very one which has been implicated in numerous similar incidents. Coinhive, which takes a 30 per cent cut of anything mined using unmodified versions of its plugin, officially discourages embedding their miner in websites without informing users up front that it may take a (sometimes significant) slice of their computers’ processing power. But unscrupulous cybercriminals have used it to run Monero-generating botnets that in theory always turn a profit because there’s no real overhead and they’re not paying for the electricity used. Offloading those costs to random web users by injecting miners into other peoples’ websites, an attack called cryptojacking, has quickly become widespread and prior attacks are estimated to have generated hundreds of thousands in profits for hackers.
“The injected mining code was obfuscated, but when converted from hexadecimal back to ASCII it spelled out the necessary magic to summon Coinhive’s stealthy JavaScript miner to the page,” the Register reported.
The price of XMR, Monero’s token, peaked at nearly $US500 ($640) earlier this month but has since fallen back down to around $US240 ($307), according to sites which track the prices of cryptocurrency.
“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline,” Texthelp chief technology officer Martin McKay said in a statement. The company added that “This was a criminal act and a thorough investigation is currently underway” by an independent security company.