Security researcher Scott Helme said more than 4,000 websites, including many government ones, were affected by hackers taking control of visitor’s computers to mine cryptocurrencies.
The Information Commissioner’s Office (ICO) was one of those affected, and had to shut down its website.
The ICO said: “We are aware of the issue and are working to resolve it.”
Indeed, Helme was first made aware of this when a friend received a malware warning when he visited the ICO website.
The affected code had now been disabled and visitors were no longer at risk, according to Helme.
“It’s a very lucrative proposal,” said Helme. “They infect one website and it infects close to 5,000.”
“This was a very serious breach. They could have extracted personal data, stolen information or installed malware. It was only limited by the hackers’ imaginations.”
The root of the problem
Helme traced the malware’s origin to a website plug-in called Browsealoud, which is used to help the blind and partially sighted access the web.
Texthelp, who makes the plug-in, did confirm that its product had been affected for four hours by a malicious code designed to generate cryptocurrency.
Martin McKay, chief technical officer of TextHelp, said: “In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away.”
The cryptocurrency that the hackers were trying to generate was called Monero – a rival to Bitcoin.
It makes transactions in it “untraceable” between the senders and recipients involved.
Coinhive, which “mines” for Monero by running processor-intensive calculations on visitors’ computers, was added to Browesaloud by hackers and consequently affected thousands of websites, like the ICO’s.
A National Cyber Security Centre spokesman said: “NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency.”
“The affected service has been taken offline, largely mitigating the issue. Government websites continue to operate securely.”
“At this stage there is nothing to suggest that members of the public are at risk.”
“We are seeing threat actors around the world exploiting what is already a hostile currency in a lawless digital world,” according to Fabian Libeau, VP of RiskIQ.
“Threat actors hack vulnerable sites or spin up fake, illegitimate websites to siphon money off of major brands, often with typosquatting domains and fraudulent branding. By leveraging domains or subdomains that appear to belong to major brands, these actors trick people into visiting their sites running cryptocurrency mining scripts to monetise their content. When we looked at domains running the cryptocurrency mining script Coinhive, we found many examples of typosquatting and domain infringement.”
“Unfortunately, security teams lack visibility into all of the ways that they can be attacked externally, and struggle to understand what belongs to their organisation, how it’s connected to the rest of their asset inventory, and what potential vulnerabilities are exposed to compromise.”
“In the case of scripts like Coinhive, it means being able to inventory all the third party code running on your web assets, and being able to detect instances of threat actors leveraging your brand on their illegitimate sites around the internet. Digital threat management software can help companies get covered by continuously discovering an inventory of your externally-facing digital assets and managing risks across your attack surface.”