Thousands of websites globally have been hijacked by code which made computers run cryptocurrency mining software. Sunday 11 February 2018
By Nick Stylianou, Defence & Technology Producer
“The Coinhive script was inserted into a popular third-party accessibility plugin “BrowseAloud” which is used to help blind or partially-sighted people access the web.”
More than 5,000 websites have been hacked to force visitors’ computers to run software that mines a cryptocurrency similar to Bitcoin.
Users loading the websites of the Information Commissioner’s Office, the Student Loans Company, as well as the council websites for Manchester City, Camden, and Croydon – and even the homepage of the United States Courts – had their computers’ processing power hijacked by hackers.
Malicious code for software known as “Coinhive”, a program advertising itself as “A Crypto Miner for your Website” would start running in the background until the webpage is closed.
Security researcher Scott Helme was alerted to the hack by a friend who sent him antivirus software warnings received after visiting a UK Government website.
The ICO also took its site down
He said: “This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States.
“Someone just messaged me to say their local government website in Australia is using the software as well.”
The Coinhive script was inserted into a popular third-party accessibility plugin “BrowseAloud” which is used to help blind or partially-sighted people access the web.
Texthelp, which operates the compromised BrowserAloud plugin, confirmed to Sky News that their software was hacked at 11.14am on Sunday and remained active for four hours.
The software has now been taken offline until midday on Tuesday.
Texthelp data security officer Martin McKay said: “Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.
“This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.
“Texthelp can report that no customer data has been accessed or lost.” Mr McKay also announced that an independent security consultancy will begin a security review of the company’s systems.
The code in purple is malicioius. Pic: Scott Helme
Mr Helme says that unlike Bitcoin, where wallet addresses are stored on a publicly-available database, it is impossible to find the location of the account profiting from the code.
But, he added, there was a simple way to defend against the attack. He said: “Every single website I run has an ‘Integrity Attribute’, which is a tiny change in how the script is loaded but is there because I’m worried about exactly this type of thing happening.”
Sky News has learned some of the affected websites, such as the Information Commissioner’s Office, have now been taken offline as well as IT teams try and combat the problem.
Sky News contacted the National Cyber Security Centre, which confirmed that their Incidents team is investigating the case.
A spokesperson for the NCSC said: “Technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency.
“The affected service has been taken offline, largely mitigating the issue.
“Government websites continue to operate securely. At this stage there is nothing to suggest that members of the public are at risk.”