Several government web pages from the United States and the United Kingdom were injected with a cryptocurrency mining malware.

Over four thousand websites worldwide, including some run by the U.S. and U.K. governments, were allegedly hacked by cryptojackers.

Scott Helme, a U.K.-based information security consultant, said that the affected sites are all using a specific plugin. This plugin silently injects cryptocurrency mining malware in the site pages.

The plugin, popularly known as BrowseAloud, reads out web pages to help improve the user experience of the visually impaired. While the text-to-speech technology appears to have been compromised, it is still unclear if the source code has been altered by hackers or by company insiders.

Hackers are on the loose! @texthelp's text-to-speech plugin, popularly known as Browsealoud, was hacked and found to have injected cryptocurrency mining malware in thousands of websites worldwide! #Cryptocurrency #Monero #CryptojackersClick To Tweet

Following the discovery of the malware, U.K.’s data protection watchdog, the Information Commissioner‘s Office, reportedly shut down its website to deal with the issue. According to Helme, he was alerted by a friend who received a malware warning after visiting the ICO website. Since then, the code has been disabled. Visitors are now safe to browse the said site.

“This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States,” Helme told Sky News.

The Cryptocurrency Mining Malware

The list of more than four thousand websites affected by the cryptocurrency mining malware was released. Check it out here. Some of the government-run sites on the list include:

  • uscourts.gov – website of the United States courts
  • in.gov – official website of the State of Indiana
  • cookcountytreasurer.com – Cook Country, Illinois treasurer website
  • camden.gov.uk – official website of Camden Town in London
  • camh.ca – Canada’s Centre for Addiction and Mental Health website
  • agriculture.gov.ie – Ireland’s Department of Agriculture, Food, and the Marine website
  • legislation.qld.gov.au – Queensland Government’s legislation website
  • cambridge.ca – Cambridge, Canada’s official website
  • texthelp.com – creator and provider of the text-to-speech technology, Browsealoud

According to a report from The Register on Sunday, the code of the cryptocurrency mining malware was injected in BrowseAloud’s code sometime between 0300 and 1145 UTC. The miner, which uses Coinhive code to mine the Monero virtual currency, only works when an affected page is running. This means that mining automatically perishes upon closing the user’s web browser.

Browsealoud plugin compromised by the cryptocurrency mining malware
Browsealoud plugin compromised by the cryptocurrency mining malware | Cook Country Treasurer | cookcountytreasurer.com

In general, the code could be detected and stopped by antivirus packages or ad-blocking tools. Anyone with a reasonable security suite should not be directly affected.

A copy of the infected BrowseAloud code shows the Monero miner code to be obscured. However, converting the code from hexadecimal back to ASCII will reveal how it summon’s the hidden Javascript miner into the page.

Stopping the Monero Mining Malware

As a solution, Helme advised webmasters to use the Subresource Integrity technique. According to the consultant, SRI will be able to catch and block attempts by cybercriminals to inject any malicious code to their websites. The method uses a fingerprinting approach that will prevent compromised JavaScripts from being loaded into web pages.

However, Helme noted that unless websites use this protection, hackers and other cybercriminals will continue to target third-party resource providers like BrowseAloud.

“Third parties like this are absolutely a prime target and have been for some time,” Helme went on to say. “There’s a technology called SRI (Sub-Resource Integrity) designed to fix exactly this problem, and unfortunately it seems that none of the affected sites were using it.”

Apparently, all it takes is to hack one provider like Texthelp, creator and provider of BrowseAloud, to infect numerous websites that use its services. The company has disabled the BrowseAloud service according to a public tweet.

The tweet was later on followed by an official statement from Texthelp, citing that no customer data has been compromised during the attack.

“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away,” Martin McKay, CTO and Data Security Officer at Texthelp, was quoted as saying.

“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.  This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.”

Do you believe that websites should take Helme’s recommendation and start using SRI security approach to prevent cryptojackers from injecting cryptocurrency mining malware to their sites?

banner ad to seo services page

LEAVE A REPLY

Please enter your comment!
Please enter your name here