Cybercriminals love cryptocurrencies. With the skyrocketing values observed over the last several months, and with the level of anonymity some of the digital currencies provide, they are a perfect way of extracting gains from illegal activities online. And an even greater incentive for the crooks is that they don't necessarily need to socially engineer or trick people into parting with crypto coins. Under the right circumstances, all the users need to do is visit a website, and without their knowledge, their personal computers are suddenly turned into mining rigs that complete thousands of calculations per second to generate digital money for cybercriminals. On Sunday, we saw that happening.
Security researcher Scott Helme had an eyebrow-raising moment when he found out that all of a sudden, quite a few high-profile websites had started using visitors' computers for mining Monero, a cryptocurrency that's relatively easy to generate on a regular PC. Among the affected websites were those of the UK's Information Commissioner's Office, the Swedish Police, the US Courts, and a number of web portals belonging to various states in the USA. Later, Helme shared a list of just over 4,000 websites that were engaged in the mining campaign, and a quick look reveals that many of them are run by government organizations in the US, Britain, Ireland, and Australia. This means that they attract significant traffic, and this, in turn, means that despite the quiet period of the week, and despite the fact that the mining script was designed to throttle CPU usage (i.e. not letting the processor run at full chat), the crooks were able to harness the hardware of quite a few computers and probably made off with a tasty loot. But who were the crooks and how did they do it?
Sadly, someone apparently got access to Browsealoud's servers, opened the plugin's JS file, and injected some obfuscated code which, when decoded, activates the CoinHive mining script. Helme and quite a few other researchers quickly notified Texthelp, Browsealoud's vendor, and the service was immediately stopped. In a statement, Texthelp said that they're investigating the matter.
When government websites misbehave, people tend to get a touch overly paranoid, and that's understandable. The truth is, however, yesterday's attack wasn't that severe, and the quick actions of both the researchers and Texthelp limited the damage. Unfortunately, it must also be said that it could have been much, much more devastating.
Yesterday, the crooks decided to mine for Monero, but the next time they find a third-party plugin that can be exploited (it's a question of "when," not "if"), they might decide to use it for something much more sinister like deploying malware. And because virtually all websites, both big and small, use third-party plugins, the users have no way of knowing when they might fall victim to the attack.
In the aftermath of yesterday's campaign, Scott Helme and Troy Hunt, another widely-acknowledged security researcher, wrote two posts on what could be done in order to mitigate similar attacks in the future. We, the regular users, can do little more than hope that administrators listen to what the experts have to say and take action before it's too late.