Thousands of websites, including a number of sites operated by the governments of the United States and United Kingdom, were found to be running cryptomining software that mined for cryptocurrency when users would visit the infected sites.
Security researchers discovered the widespread cryptojacking scheme over the weekend, in which as many as 4,275 websites were found running the malicious code. Affected sites included the UK’s Information Commissioner’s Office—a national data protection and privacy watchdog organization—and the U.S. court information portal.
Other sites infected with the cryptomining software included City University of New York (Lund University, the UK Student Loans Company and Financial Ombudsman Service, National Health Services websites, and others. Australian government sites were also hit.
When users visit the sites, the processing power of their computer is hijacked and used to mine for cryptocurrency. The digital currency generated by visitors to the sites is pocketed by the attackers who injected the code onto the sites.
The source of the attack was traced by Information security consultant Scott Helme to a plugin called Browsealoud. Created by UK company TextHelp, the plugin enables screen reading software used by people with hearing impairments to navigate the web.
The plugin is utilized by thousands of sites, which resulted in those sites accidentally becoming hosts to a cryptojacking scam. The websites with the plugin would hijack the computing power of a visitor's machine and uses it to mine for the anonymous cryptocurrency Monero.
The script uses a victim’s processor to generate the cryptocurrency—a task that involves solving complicated mathematical problems in order to process transactions and release additional currency—which is collected by the attackers.
The hijacking script uses Coinhive, a popular mining script itself is not intended to be malicious—at least according to its creators—but has gained a reputation for being used in these types of attacks, often referred to as cryptojacking.
In response to the attack, TextHelp temporarily took its Browsealoud plugin offline to address the issue. The company has assured its users that no customer data was compromised, accessed or lost by the attack.
“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year. Our data security action plan was actioned straight away and was effective, the risk was mitigated for all customers within a period of four hours,” Martin McKay, CTO and Data Security Officer said in a statement .
“Texthelp has in place continuous automated security tests for Browsealoud - these tests detected the modified file and as a result the product was taken offline. This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action,” McKay said.
Cryptojacking attacks have cropped up a number of ways online. Some websites have used the tactics to generate income without disclosing the practice to users. Cryptomining code has also been hidden in web browser extensions and other tools that hijack a user’s processor. Generally speaking, it is harmless other than using a victim’s processing power without their permission.
“The meteoric rise of cryptocurrency valuations has shifted cyberattack activity to focus squarely on obtaining Monero and Bitcoin,” Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, told International Business Times.
“Given the bubble-like rise in valuations, cryptocurrencies represent a new and highly valuable opportunity by cybercriminals to increase their malware riches. The price of Monero doubled in the last three months, which shows continued adoption by the community,” Bilogorskiy said.