Compromised Third-Party Plugin Injects Monero-Mining Script into Thousands of Websites

monero mining script compromised websitesCybercriminals love cryptocurrencies. With the skyrocketing values observed over the last several months, and with the level of anonymity some of the digital currencies provide, they are a perfect way of extracting gains from illegal activities online. And an even greater incentive for the crooks is that they don't necessarily need to socially engineer or trick people into parting with crypto coins. Under the right circumstances, all the users need to do is visit a website, and without their knowledge, their personal computers are suddenly turned into mining rigs that complete thousands of calculations per second to generate digital money for cybercriminals. On Sunday, we saw that happening.

Security researcher Scott Helme had an eyebrow-raising moment when he found out that all of a sudden, quite a few high-profile websites had started using visitors' computers for mining Monero, a cryptocurrency that's relatively easy to generate on a regular PC. Among the affected websites were those of the UK's Information Commissioner's Office, the Swedish Police, the US Courts, and a number of web portals belonging to various states in the USA. Later, Helme shared a list of just over 4,000 websites that were engaged in the mining campaign, and a quick look reveals that many of them are run by government organizations in the US, Britain, Ireland, and Australia. This means that they attract significant traffic, and this, in turn, means that despite the quiet period of the week, and despite the fact that the mining script was designed to throttle CPU usage (i.e. not letting the processor run at full chat), the crooks were able to harness the hardware of quite a few computers and probably made off with a tasty loot. But who were the crooks and how did they do it?

Thankfully, whoever they are, they didn't actually manage to infiltrate the systems of thousands of government websites. Instead, they compromised a third-party plugin called Browsealoud. Browsealoud is a service that supposedly makes browsing quite a bit easier for people with reading difficulties and visual impairments. To activate it, website administrators need to paste a few lines of code into their HTML, and with them, their websites will fetch the JavaScript from Browsealoud's servers.

Sadly, someone apparently got access to Browsealoud's servers, opened the plugin's JS file, and injected some obfuscated code which, when decoded, activates the CoinHive mining script. Helme and quite a few other researchers quickly notified Texthelp, Browsealoud's vendor, and the service was immediately stopped. In a statement, Texthelp said that they're investigating the matter.

When government websites misbehave, people tend to get a touch overly paranoid, and that's understandable. The truth is, however, yesterday's attack wasn't that severe, and the quick actions of both the researchers and Texthelp limited the damage. Unfortunately, it must also be said that it could have been much, much more devastating.

Yesterday, the crooks decided to mine for Monero, but the next time they find a third-party plugin that can be exploited (it's a question of "when," not "if"), they might decide to use it for something much more sinister like deploying malware. And because virtually all websites, both big and small, use third-party plugins, the users have no way of knowing when they might fall victim to the attack.

In the aftermath of yesterday's campaign, Scott Helme and Troy Hunt, another widely-acknowledged security researcher, wrote two posts on what could be done in order to mitigate similar attacks in the future. We, the regular users, can do little more than hope that administrators listen to what the experts have to say and take action before it's too late.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.