Government websites hijacked by cryptomining plugin

Over 4000 websites thought to have been hit.

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Government websites hijacked by cryptomining plugin

More than 4000 websites, including many belonging to governments around the world, were hijacked this weekend by hackers who managed to plant Coinhive cryptocurrency-mining code designed to exploit the resources of visiting computers.

High profile websites impacted by the hack included the UK’s Information Commissioner’s Office, NHS websites, and even the homepage of the United States Courts – uscourts.gov.

The alarm was raised by British security researcher Scott Helme who posted details on Twitter as he found more and more affected sites, and narrowed down the problem to a popular accessibility plugin called “BrowseAloud” which helps make websites more accessible to visually-impaired internet users.

Sign up to our free newsletter.
Security news, advice, and tips.

No doubt many public sector organisations found themselves hit by the poisoned version of BrowseAloud because of their obligations to comply with legal obligations to make their information accessible to people with disabilities.

Texthelp, the developers of BrowseAloud, posted an alert on its website and took the service offline:

At 11:14 am GMT on Sunday 11th February 2018, a JavaScript file which is part of the Texthelp Browsealoud product was compromised during a cyber attack. The attacker added malicious code to the file to use the browser CPU in an attempt to illegally generate cryptocurrency. This was a criminal act and a thorough investigation is currently underway.

Texthelp can report that no customer data has been accessed or lost. The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers CPUs to attempt to generate cryptocurrency. The exploit was active for a period of four hours on Sunday.

Things could have been much worse. Imagine if the plugin had been tampered with to steal login passwords rather than steal CPU resources from visiting computers.

Whenever you use someone else’s code on your website you’re often increasing your attack surface. If a hacker wants to infect four thousand websites it’s likely to be a lot less effort tamper with one third-party script which is used by four thousand websites than compromise each website one-by-one.

For further discussion of this issue be sure to check out this episode of the “Smashing Security” podcast:

Smashing Security #065: 'Cryptominomania, Poppy, and your Amazon Alexa'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Further reading:


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

2 comments on “Government websites hijacked by cryptomining plugin”

  1. Brian

    Thanks for the heads-up. For the security conscious but technically illiterate perhaps there is a browser extension for FF and others that can be recommended to guard against this? I see there are a few but it is difficult to know which are effective.

    1. Graham CluleyGraham Cluley · in reply to Brian

      Some anti-virus software and many ad blockers (you're running an ad blocker, right?) can prevent Coinhive's cryptocurrency-mining code from running without your permission.

      Learn more here: https://github.com/hoshsadiq/adblock-nocoin-list/blob/master/README.md

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.