Back in September 2017, popular magnet and torrent website thepiratebay.se (TPB) was discovered to be testing a new way to generate revenue that hijacked its visitors" CPU cycles to mine cryptocurrency. In order to achieve that, TPB made use of Coinhive, a bit of JavaScript that embeds a Monero miner directly into a website without any additional UI changes, conveniently offloading that work on the webpage hosting it.
Since then, more websites around the world wide web were found to be following suit, with an estimated 500 million PCs being exposed to what is now known as cryptojacking, as of October 2017. But less than a month ago, cryptojackers went a step further by embedding Coinhive into a few ads that were being served to YouTube users; although they were promptly removed by Google, they did set precedence for what would come next.
Late this Sunday, Scott Helme, a U.K.-based IT security consultant, was made aware that an antivirus software was flagging the U.K."s Information Commissioner"s Office (ICO) website. After digging for more information, he found that every webpage on the website was compromised by a Coinhive script loaded from a third-party library, not by some code hosted by ICO themselves.
The third-party library in question is provided by a company named Texthelp, which operates Browsealoud, a popular plugin that assists the blind and partially-sighted browse the web. As any website that loads the affected plugin would also be infected by the Coinhive script, Helme was able to uncover a widespread cryptojacking attack affecting more than 4,000 websites at once, with some prominent government websites from the U.K., Ireland, the U.S. and Australia on the list.
Among the government websites affected by the attack were those belonging to the National Health Service in the U.K., The Parliament of Victoria in Australia, and the United States Courts. As pointed out by Helme:
This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States.
Texthelp has disabled the Browsealoud plugin and will keep it offline until Tuesday 12:00 GMT, so its customers can "learn about the issue and the company’s response plan." According to the company"s CTO, Martin McKay, "no customer data has been accessed or lost" and the modified file was only used to mine cryptocurrency during a four hours window on Sunday.
Source: Scott Helme, Texthelp via The Guardian (1) (2) | Bitcoin mining image via Shutterstock