Once again websites are being used to mine crypto currency, Monero in this case, though the target is different this time. Previously we’ve seen website such as Pirate Bay extract value from their users by discretely (or not so discretely) running crypto currency mining scripts in the background while the user goes about their business. While Pirate Bay has seen some push-back from their venture, at the end of the day they’re still a website that caters to a maybe-less-than-legal clientele so it’s not seen as that big of an issue. The one’s doing the mining in this case though was the US government through the various websites and web portals. The government websites weren’t the only one finding themselves doing some unexpected mining though, they were part of a larger hack that affected roughly 4,000 websites. The government websites have been given the all-clear, the code was quickly rooted out and removed once someone was made aware of the issue.
The hack didn’t attempt to directly install a piece of malicious code into the websites, something that would be extra-illegal, but rather targeted a popular plugin called Browsealoud. Browsealoud helps people with visual impairments perceive and interact with a website, and their parent company Texthelp confirmed that their plugin was briefly infected with malware. This infection period appears to have been around four hours in length and during that time any people using Browsealoud would find their devices mining Monero in the background. Browsealoud would install Coinhive onto user’s devices, which was then used to mine Monero through processor intensive methods. The infected computers transmitted no data, nor did they go looking for it, something that helped the infection get past anti-virus programs. It simply ran Coinhive in the background, something slowed the infected devices but didn’t do anything else. We’ve previously discussed how the use of Monero in cyber crimes opens up a dangerous door for similar acts. Monero prides itself on being truly anonymous, which makes it the perfect payment of choice for anyone looking to cover their tracks. By allowing anonymity, something that a hacker or cyber-criminal might not manage to maintain, it empowers attackers to grow more bold with their attacks.
The version of Coinhive that was added to visitor’s devices only runs when the device is visiting the infected websites, now that the code has been removed Coinhive should no longer run on any infected devices. However it remains possible that another string of code or hack will reactivate Coinhive.
Max is a Legal Assistant and author residing in the Philadelphia area He has been writing for AskCyberSecurity.com since early 2017.