On Sunday, over 4,200 websites around the world started hijacking visitors’ browsers to mine the Monero crypto currency.
The problem was first noticed and partly documented by security researcher Scott Helme:
— Scott Helme (@Scott_Helme) February 11, 2018
Among the compromised websites were that of UK’s Information Commissioner’s Office and the Financial Ombudsman Service, the US Courts information portal, Manchester’s city council, the City University of New York, the Indiana state government, the Swedish Police, and so on.
It didn’t take long for Helme to pinpoint the source of the compromise: Browsealoud, a service run by a UK-based firm Texthelp.
Apparently, the company’s script server was hacked, and the attackers added another obfuscated script to the Browsealoud one. Its sole aim was to exploit visitors’ computers’ processing power and, according to Sophos’ Paul Ducklin, the hackers tried to keep the crypto-mining operation unnoticeable.
“The rogue script that was injected into the Browsealoud server includes code that tries to limit the amount of processing power that the crypto mining will steal, presumably in the hope of staying unnoticed for longer,” he noted.
“On my dual-core hyperthreaded Mac running Firefox, for example, the crypto mining code limits itself to a single mining process running at 60% of the maximum possible rate.”
Texthelp CTO and Data Security Officer Martin McKay confirmed the breach later that same day, as well as that the script was only meant to mine crypto coins, not steal user data.
“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away,” he said.
“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result, the product was taken offline. This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.”
He also said that the Browsealoud service has been temporarily taken offline and that it will remain offline until Tuesday 12:00 GMT so that Texthelp customers can learn about the issue and the company’s response plan.
Their internal investigation is still ongoing, so it’s still unknown whether the compromise of the Browsealoud script was due to an external hack or a malicious insider.
Protection against future attacks
Victims’ browsers were “set free” as soon as they closed the windows or tabs in which one of the compromised sites was opened. Users who use one of several security products that block the Coinhive site haven’t been affected.
For sites depending on third party scripts for some of their functionalities, Helme advises using a technique called SRI (Subresource Integrity).
“Rather than trusting a 3rd party not to do anything untoward it’d be far better to actually verify that they’re not doing anything nasty, and that’s exactly what SRI allows us to do,” he explained.
“In short, SRI allows us to instruct the browser to perform an integrity check on an asset loaded from a 3rd party. By embedding the base64 encoded cryptographic hash digest that we expect for the asset into the script or link tag, the browser can download the asset and check its cryptographic hash digest against the one it was expecting. If the hash of the downloaded asset matches the hash that we provided, then the content is what we were expecting to receive and the browser can safely include the script or style. If the hash doesn’t match then we know we can’t trust the data and it must be discarded.”
Stealthy crypto currency mining is a big problem
According to a recent analysis by 360Netlab, 241 out of Alexa Top 100,000 websites, and 629 out of Alexa Top 300,000 websites have crypto-mining code embedded in their homepage (the entire list can be found here).
The mining code is mostly from Coinhive, and nearly half of these sites are porn sites.