Attackers hijacked 4275 websites to inject Coinhive Monero miner including the websites of government authorities(ico.org.uk), NHS Foundation (nhs.uk), and uscourts.gov. Crypto-Mining Attacks are one of the biggest emerging threats for enterprises. And the recent trend is more mainstream and is done directly via web pages.
One thing in common for all the infected websites is Browsealoud plugin provided by texthelp that adds speech, reading, and translation to the website has been compromised and it’s host scripts was modified.
The mining script was first noticed by Information Security Consultant Scott Helme “If you want to load a crypto miner on 1,000+ websites you don’t attack 1,000+ websites, you attack the 1 website that they all load content from“Helme said.
Attackers altered the ba.js file and include document.write call that adds Coinhive crypto miner to any number of the page that loaded in to.
What’s Coinhive?
Coinhive offers a JavaScript miner for the Monero Blockchain that can be embedded into other Web sites. The users run the miner directly in their Browser and mine XMR for the site owner in turn for an ad-free experience, in-game currency or whatever incentives they are availing to their users/visitors.
With further investigation, Helme identified a number of sites have been injected including the government websites of numerous countries.Here is the affected websites list.
Texthelp the plugin provider confirmed it was hacked on 11.14am on Sunday and the hack lasts for four hours. Now the plugin was temporarily taken down by Texthelp.
Texthelp data security officer Mr. McKay said: “Texthelp has in place continuously automated security tests for Browsealoud, and these detected the modified file and as a result, the product was taken offline”.
At GBHackers last November we identified a very popular torrent sharing fake site www.1337x.io added coinhive mining script.
Preventive Measures – Crypto-Mining Attacks
Helme suggested adding SRI Integrity attribute to the website which forces the browser to check the integrity, which allows it to reject the file. He has written an article explaining how to add SRI Integrity Attribute.
If you are a normal user, install AdGuard’s extension on your browser and you will be good to go.
