Possibly more than 4,000 websites were injected with Coinhive’s Monero miners, causing the computers of those visiting the websites to mine for Monero. Among the thousands of websites affected are those of US and UK governments, including uscourts.gov (United States Courts), ico.org.uk (Information Commissioner’s Office) and sites belonging to UK’s NHS services.
For several hours on Sunday, anyone visiting the websites on this list were unknowingly loaning their CPU to help mine for cryptocurrency. This was first revealed by Infosec consultant Scott Helme, who noticed that UK’s Information Commissioner’s Office website ico.org.uk was using Coinhive’s cryptojacking script. Upon further investigation, Helme observed that many other websites were doing the same thing.
Popular script BrowseAloud was injecting the code into the websites
“If you want to load a crypto miner on 1,000+ websites you don’t attack 1,000+ websites, you attack the 1 website that they all load content from,” Helme explained in a blog post. And that 1 turned out to be BrowseAloud.
BrowseAloud, offered by Texthelp, helps visually impaired people access the Internet easier, by reading out website content to them. It was being utilized on all of the affected websites, and it was found that a malicious code in its script was injecting the Monero miner into the sites. Thus, anyone visiting those sites ended up helping to mine Monero.
Once the company behind the script was notified, it was taken down until an investigation took place. Their statement on the situation can be read here. An investigation has been launched, as the mining was done illegally.
The more than 4,000 affected websites include UK’s Student Loan, NHS services, US court and other goverment pages. It is not yet certain how this happened but this should not have put any users at risk. When someone entered the compromised websites, a miner would launch and use the visitors’ computers to mine for cryptocurrency. It uses a computer’s resources to do this, and that is why the device may slow down or act sluggish. This is rather noticeable, although if the site was accessed for only a short period of time, users may have missed it. This does not harm the computer, merely hinders normal device usage and browsing. And once the website with the miner is exited, the mining stops.
These kinds of miners are gaining popularity, particularly among free streaming websites, some using them as alternative to advertisements. However, the problem lies in website owners not informing the users of what is happening, thus the mining is occurring without users’ agreement. In this case, a malicious party inserted the code into the script without the company behind it being aware, which then launched miners to mine Monero without user consent.
Helme explains that this is not a new type of attack, and is easily preventable. Details on how to ensure crypto miners cannot be inserted can be found on his blog post, linked above.