Cryptocurrency-Mining Malware Compromises Thousands of Sites

• Coinhive crypto miner infiltrates Browsealoud plugin
• Over 4,000 sites ran the infected code

Aside from ransomware, it looks like cryptocurrency miners are the favorite go-to malware types for attackers.

According to security researcher Scott Helme, a little piece of malware he discovered was running on more than 4,000 sites, including the website for the American court system, the British Information Commissioner's Office, the National Health Service, and Australian legislatures, to name a few. Helme describes that the malware uses the victims' devices to mine Monero, one of the most popular alternative cryptocurrencies at the moment, mostly because unlike Bitcoin, it offers complete privacy to users.

The mining only worked when you were searching for government info, and it stopped once you visited another page or closed the browser tab.

Ummm, so yeah, this is *bad*. I just had @phat_hobbit point out that @ICOnews has a cryptominer installed on their site... 😮 pic.twitter.com/xQhspR7A2f

— Scott Helme (@Scott_Helme) February 11, 2018

The crypto-mining software used the accessibility plugin called Browsealoud, which was created for people with dyslexia or low English comprehension. Once the extra code was injected, the tool ran the mining software commonly known as Coinhive. The folks behind Coinhive, however, reached out to Helme and claimed that those behind the attack did use their JavaScript code, but they used their own servers.

The incident is currently being investigated, including by the British National Cyber Security Centre. On the upside, this hack was used to mine cryptocurrency. The same code could have been used to compromise government credential, or to steal identities. Thankfully, in a way, the attackers chose to concentrate on making money rather than collecting data.

The mining only took place for a few hours on February 11th, before the company behind the plugin, Texthelp, disabled it to investigate. "In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year. Our data security action plan was actioned straight away and was effective, the risk was mitigated for all customers within a period of four hours," said Martin McKay, Texthelp CTO.

Coinhive is regularly easy to catch by antivirus solutions if they are installed, but not everyone has such a tool on their computer. Additional finds keep coming from Helme, as he makes an update on Twitter. Among his finds is even a Windows Store App.