Over 4,000 websites ended up leaching away visitors’ computing power on Sunday. The reason? A hacker had infected the sites with a cryptocurrency miner.
USCourts.gov and dozens of UK government-related sites, including data privacy advocate the Information Commissioner’s Office, were unknowingly pulled into the hacking scheme.
All of the websites were found carrying a web script that’ll secretly mine a digital currency called Monero over your browser, according to a UK-based security researcher named Scott Helme, who noticed the problem on Sunday. (A list of the affected websites can be found here.)
However, none of the destinations were hosting the code individually. The hacker behind the scheme managed to embed the cryptocurrency miner into a third-party tool called Browsealoud that had been running across the sites.
On Sunday, the company behind the tool, Texthelp, confirmed the incident, which it said lasted only for four hours. “This was a criminal act,” the company added.
The third-party tool is designed to translate and read out loud text across a webpage. Although it isn’t clear how the product was infiltrated, Texthelp pulled the plug on the mining by taking Browsealoud offline until Tuesday.
The good news is that the hacking only focused on mining Monero, a process that can drag down your computer’s performance, but doesn’t involve lifting passwords or credit card information. “No customer data has been accessed or lost,” Texthelp said.
However, the incident is the latest in a long line of cryptocurrency mining attacks, which security experts say have exploded in number in recent months. In January, for instance, YouTube was pulled into a similar scheme that involved seeding the video platform’s ads with mining software to generate the virtual currency.
As a result, cybercriminals have been tampering with numerous websites and slipping in Coinhive’s mining script. Sunday’s incident pulled from the same playbook. Helme examined the affected Browsealoud code and found it had been changed to also host Coinhive’s miner.
— Scott Helme (@Scott_Helme) February 11, 2018
Who runs Coinhive still isn’t known. But on Monday the operators behind the service also confirmed that their miner had been used in Sunday’s hijacking scheme.
“This indeed used our service and mined about 0.1 XMR [0.1 Monero or $24] over the past weekend. It’s a sharp but very short spike in hash rate. We have terminated the account in question,” Coinhive said in an email.
The operators of Coinhive initially denied that their service had been involved; they first claimed that the attackers had used their own servers to host a miner copied from Coinhive.
However, both Helme and another security researcher named Troy Mursch told PCMag that the evidence still pointed to the hackers using a miner directly hosted by Coinhive. (Helme himself also uploaded the snippet of Browsealoud code that contained the Coinhive domain.)
The operators behind Coinhive later sent another email, correcting their statement.
On the same day, the UK’s National Cyber Security Centre issued an advisory about the incident, calling the malicious cryptocurrency mining “illegal.”
Fortuately, it isn’t hard to stop in-browser mining. Usually all it takes is closing the window of the website hosting the miner. Antivirus products and browser extensions can also automatically flag and block the miners too.