Over 4,000 websites ended up leaching away visitors' computing power on Sunday. The reason? A hacker had infected the sites with a cryptocurrency miner.
USCourts.gov and dozens of UK government-related sites, including data privacy advocate the Information Commissioner's Office, were unknowingly pulled into the hacking scheme.
All of the websites were found carrying a web script that secretly mined a digital currency called Monero over the browser, according to a UK-based security researcher named Scott Helme, who noticed the problem on Sunday. (A list of the affected websites can be found here.)
However, none of the destinations were hosting the code individually. The hacker behind the scheme embedded the cryptocurrency miner into a third-party tool called Browsealoud, which ran across the sites. On Sunday, the company behind the tool, Texthelp, confirmed the incident, which lasted for four hours. "This was a criminal act," the company added.
The third-party tool is designed to translate and read text aloud across a webpage. Although it isn't clear how the product was infiltrated, Texthelp pulled the plug on the mining by taking Browsealoud offline until Tuesday.
The good news is that the hacking only focused on mining Monero, a process that can drag down your computer's performance, but doesn't involve lifting passwords or credit card information. "No customer data has been accessed or lost," Texthelp said.
However, the incident is the latest in a long line of cryptocurrency mining attacks, which security experts say have exploded in recent months. In January, for instance, YouTube was pulled into a similar scheme that involved seeding the video platform's ads with mining software to generate virtual currency.
As a result, cybercriminals have been tampering with numerous websites and slipping in Coinhive's mining script. Sunday's incident used the same playbook; Browsealoud code was changed to also host Coinhive's miner, Helme examined.
It isn't known who runs Coinhive. But on Monday, the operators confirmed that their miner had been used in Sunday's hijacking scheme. "This indeed used our service and mined about 0.1 XMR [0.1 Monero or $24] over the past weekend. It's a sharp but very short spike in hash rate. We have terminated the account in question," Coinhive said in an email.
The operators of Coinhive initially denied that their service had been involved; they first claimed that the attackers used their own servers to host a miner copied from Coinhive.
- Protecting Your Business From Cryptocurrency Malware Attacks Protecting Your Business From Cryptocurrency Malware Attacks
However, both Helme and another security researcher named Troy Mursch told PCMag that the evidence still pointed to the hackers using a miner directly hosted by Coinhive. (Helme also uploaded the snippet of Browsealoud code that contained the Coinhive domain.) The operators behind Coinhive later sent another email, correcting their statement.
On the same day, the UK's National Cyber Security Centre issued an advisory about the incident, calling the malicious cryptocurrency mining "illegal."
Fortuately, it isn't hard to stop in-browser mining. Usually all it takes is closing the window of the website hosting the miner. Antivirus products and browser extensions can also automatically flag and block the miners, too.
Source : https://www.pcmag.com/news/359180/cryptocurrency-miner-invades-4-000-sites-via-third-party-too