New Cryptojacking Attack Hits Thousands of Websites


By John Connolly

Over 4000 sites were compromised this weekend when hackers inserted malicious code that hijacked the processing power of any site visitor’s computer to mine the cryptocurrency Monero.

The attack worked by editing the code of a popular browser plugin called browsealoud which was then served to the affected sites. Any user visiting a site while the hack was ongoing would then run Coinhive’s Monero miner and unwittingly use their computer’s processing power and electricity to mine coins for the attackers.

The hack gained widespread attention due to the number of sites affected, including a number of UK government websites such as the Student Loan Company and even the ICO, who are responsible for UK data breaches.

Using other people’s computers to mine cryptocurrencies is nothing new: a researcher was fired for using two university supercomputers to mine bitcoin as far back as 2014. But the practice has increased massively over the last six months with the creation of mining tools that can load in a user’s browser through JavaScript code on a website or online ad. These crowdsourced attacks are a popular choice for hackers as they are relatively inconspicuous and very easy to monetise. The choice of Monero is also unsurprising, the private, untraceable coin has become the cryptocurrency of choice for nefarious actors on the dark web as Bitcoin is abandoned due to its traceability and high transaction fees.

In many regards the hack could have been far worse. The attacker could have used the inserted JavaScript to steal thousands of users’ personal information or credit card details. Instead, by opting for mining software, they only stole a small amount of electricity from the victims. Crowdsourced mining has even been adopted by some legitimate websites and is being considered by some large publishers as an alternative source of income from adblocking savvy readers.  But theft is theft regardless of cost, and while in this case users may not have noticed their laptop fan whirring for ten minutes, if these types of hacks grow, the electricity costs of mining could be substantial for victims –  Bitcoin mining is already consuming more electricity than 159 countries worldwide.

The sites involved, and anyone else hosting third party scripts have been advised by security experts to implement SRI Integrity Attributes or Content Security Policy to reject any modified code. Meanwhile, users can install browser plugins that stop their CPU being harvested for coins. Until this becomes widespread practice and knowledge though, we can expect these attacks to become even more common over 2018.