Government websites hijacked by cryptomining plugin

Over 4000 websites thought to have been hit.

Government websites hijacked by cryptomining plugin

More than 4000 websites, including many belonging to governments around the world, were hijacked this weekend by hackers who managed to plant Coinhive cryptocurrency-mining code designed to exploit the resources of visiting computers.

High profile websites impacted by the hack included the UK’s Information Commissioner’s Office, NHS websites, and even the homepage of the United States Courts - uscourts.gov.

The alarm was raised by British security researcher Scott Helme who posted details on Twitter as he found more and more affected sites, and narrowed down the problem to a popular accessibility plugin called “BrowseAloud” which helps make websites more accessible to visually-impaired internet users.

No doubt many public sector organisations found themselves hit by the poisoned version of BrowseAloud because of their obligations to comply with legal obligations to make their information accessible to people with disabilities.

Texthelp, the developers of BrowseAloud, posted an alert on its website and took the service offline:

At 11:14 am GMT on Sunday 11th February 2018, a JavaScript file which is part of the Texthelp Browsealoud product was compromised during a cyber attack. The attacker added malicious code to the file to use the browser CPU in an attempt to illegally generate cryptocurrency. This was a criminal act and a thorough investigation is currently underway.

Texthelp can report that no customer data has been accessed or lost. The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers CPUs to attempt to generate cryptocurrency. The exploit was active for a period of four hours on Sunday.

Things could have been much worse. Imagine if the plugin had been tampered with to steal login passwords rather than steal CPU resources from visiting computers.

Whenever you use someone else’s code on your website you’re often increasing your attack surface. If a hacker wants to infect four thousand websites it’s likely to be a lot less effort tamper with one third-party script which is used by four thousand websites than compromise each website one-by-one.

For further discussion of this issue be sure to check out this episode of the “Smashing Security” podcast:

Subscribe: Apple Podcasts | Spotify | Overcast | Stitcher | RSS for you nerds.

Further reading:

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , , , ,

2 Responses

  1. Brian

    February 12, 2018 at 7:58 am #

    Thanks for the heads-up. For the security conscious but technically illiterate perhaps there is a browser extension for FF and others that can be recommended to guard against this? I see there are a few but it is difficult to know which are effective.

    • Graham Cluley in reply to Brian.

      February 12, 2018 at 10:12 am #

      Some anti-virus software and many ad blockers (you’re running an ad blocker, right?) can prevent Coinhive’s cryptocurrency-mining code from running without your permission.

      Learn more here: https://github.com/hoshsadiq/adblock-nocoin-list/blob/master/README.md

Leave a Reply