Cryptocurrency Mining Bonanza: Thousands of Sites Hit by Malware

02.27.18

Trevor Reschke Head of Threat Intelligence

Last Sunday thousands of websites around the world were thrown into chaos when it became apparent they’d been hijacked to mine cryptocurrency. This type of browser-based mining isn’t new – in fact it started all the way back in 2011 – but what is notable about this incident is the sheer number of websites that were pulled into the hack – more than 4,000. On top of that, the sites that were hit include US and UK government departments like the US court website (uscourts.gov), the UK’s Student Loans Company (slc.co.uk) and, somewhat ironically, the Information Commissioner’s Office in the UK (ico.org.uk), which is the regulatory body dealing with data protection. We spoke to Newsweek about it on Monday, but here’s a bit more detail about what happened and why.

 

How did the malware get in?

According to the researcher who raised the alarm, Scott Helme, someone managed to insert the Coinhive script into a plugin that’s widely used by websites to help visually impaired people, or those with reading challenges, access the sites. This plugin, Browsealoud, then allowed Coinhive to execute on the browser of anyone visiting the sites where it was installed and consequently burden their CPUs to mine the cryptocurrency Monero.

Coinhive is billed as a legitimate service that’s an alternative to generating revenue from advertising. It allows website owners to deploy cryptocurrency miners using JavaScript, with the idea that people visiting the site don’t have to be distracted by annoying ads – or the rest of the baggage that comes with ads. To repeat, some website owners are beginning to (unintentionally) enable this attack vector. Of course the best laid plans often go awry, particularly when it comes to the internet and making money. Instead of involuntarily being fed ads, users are involuntarily letting their computers be used for cryptocurrency mining.

Cyber criminals have quickly realized that there’s an easy buck to be made here. All they have to do is insert the relevant script (with a few modifications) into the code of a vulnerable website and they’re off to the races. One of the perks of cryptocurrency for criminals is its anonymity – it’s difficult to trace so it’s less risky than, for example, infecting a bunch of organizations with ransomware. And, as Helme points out in his blog, “if you want to load a crypto miner on 1,000+ websites you don’t attack 1,000+ websites, you attack the 1 website that they all load content from”. By using a plugin to nefariously spread a program for mining, the criminals gain a vast network of computers at no cost, which they then use to make money.

 

Closing the gaps for web security peace of mind

We’re seeing more and more threats that target people using legitimate sites that have continued to get more complex and rely on more third-party components to increase functionality. While in this case the hackers only want to take advantage of compute power, the fact is that they could have gone much further if they’d wanted to. They were able to hack a plugin and modify its code – and they could have modified that any way they wanted, to monitor users, exfiltrate data, and more.

If nothing else, this is a wake-up call for website owners – and developers of additional tools used by those sites. Since the advent of the internet there have been flaws in websites that can be exploited and as cyber criminals get more sophisticated they’ve gotten better at zooming in on these flaws and using them for devious activities.

In most cases these kinds of attacks can be prevented. While crypto-jacking JavaScript can be somewhat harmless, more dangerous versions of malicious code can use the same attack vector (third-party plugins or libraries) to surreptitiously exfiltrate credentials or perpetrate financial fraud by hijacking user transactions. This threat is what full transaction stack protection (FTSP) can block. Deploying a solution that protects the full transaction stack can ensure all gaps are closed, whether it’s due to a compromised end-user system or due to a website that has unwittingly enabled that compromise to happen.

blog-post-logo