The hidden mining of cryptocurrencies is proving to be the new pillar of cybercrime. Fraudsters hack servers, personal computers and mobile devices and exploit the CPU or the GPU of infected hosts to generate virtual coins without the awareness of the victims.
Botnets made up of numerous zombie machines are also now used to perpetrate large-scale illegal mining activities rather than emitting spam or hitting online services with DDoS attacks.
This mischievous earnings vector had a boost with the emergence of mining scripts in the browser, such as Coinhive.
The following episodes that have taken place recently illustrate how serious this problem is becoming and how Web site widgets trapped by explosions play in the hands of the threat actors.
Changing in the BrowseAloud widget affects thousands of sites
A huge wave of mining took place on February 11, 2018, using a popular widget called BrowseAloud. The hackers were able to inject a Monero miner into over 4,200 Internet resources, including high-profile sites such as the British, US, and Australian government Web sites. Following this compromise, the malicious script took advantage of the processing power of visitors’ machines to extract the cryptocurrency behind the scenes.
For the record, BrowseAloud is a tool by Texthelp Ltd. designed to improve the accessibility of Web sites for a wider audience through speech, reading and translation features. By adding this widget to the sites, webmasters ensure that people with dyslexia, eye disorders and poor English skills can participate and use their services to the fullest. In addition, the software helps site owners to fulfill various legal obligations, so it’s no wonder that it is widely used around the world and has become the target of hackers.
According to security analysts’ findings, criminals somehow managed to compromise the JavaScript component of the BrowseAloud utility and then incorporated Coinhive’s in-browser miner code into numerous Web sites that used this widget. Among the notable victims are uscourts.gov, legislation.qld.gov.au, manchester.gov.uk, gmc-uk.gov and nhsinform.scot. The total number of sites hosting the invalid script reached 4.275.
By the way, even the official website of the Texthelp supplier had the miner running. When the compromise was unveiled, the company temporarily deactivated the widget to avoid further damage to customers. As of February 15, the violation was reported as addressed and the service was up and running as usual.
The cryptojacking script has been configured to consume the CPU of visiting computers at 40%, probably not to raise many red flags. The address of the Coinhive wallet of hackers is known, but unlike Bitcoin, the service does not allow you to see how much Monero holds in your wallet. Therefore, the amount of cryptocurrency extracted from the group behind the modification of BrowseAloud remains a mystery.
Widget LiveHelpNow used for in-browser mining
Another cryptojacking campaign that involved a site widget began on Thanksgiving last year. In search of easy money, threat actors injected the Coinhive miner into one of the LiveHelpNow JavaScript modules, a popular live chat widget. This widget is widely used by various e-commerce resources, including retail stores like Everlast and Crucial.
The stars are aligned for the authors, in particular because of the next Black Friday and Cyber Monday, when many users visit the online stores in search of better purchases and other offers. Furthermore, it is not likely that administrators will closely monitor their sites for malicious activities of this type during the holiday season.
The Coinhive script hidden in a trojanized copy of the LiveHelpNow widget will cause the CPU usage of visiting computers to peak and remain 100% during the Internet session. It is interesting to note that the miner was configured to work at random, therefore not all users who went to compromised websites immediately joined the rush to covert activity.
In some cases, a page update was required to start the rogue script. The reason for this selective approach is probably not to draw too much attention to the ongoing cryptography wave.
According to the PublicWWW source code search engine, the toxic script “lhnhelpouttab-current.min.js” was running on more than 1,400 websites when this campaign took hold. There are a few details available on the source of the violation. This lack of evidence has generated speculation that the hack is internal work done by one of LiveHelpNow’s employees. In one way or another, it was a well-orchestrated compromise that must have brought the scammers a fair amount of Monero.
How to get on the side of security
This is a non-trivial question. Cryptojacking is surreptitious by nature, so the only way for end users to detect this type of attack is to monitor CPU usage – if it’s constantly sky-high, it’s a red flag. As for the defenses, here are some suggestions that work proactively:
Install a browser extension that automatically blocks all known JavaScript miners. Some famous add-ons that are worth their salt include Minoblock and No Coin. Most adblockers can block browser miners. But the hackers use all the possible ways to get around the adblockers.
Use a reliable Internet security suite with an on-board anti-cryptojacking feature. We recommend using a reliable VPN service when connecting to unknown networks as miners’ criminals often go along with keyloggers and other malware.
Keep your operating system up to date to ensure that known vulnerabilities are corrected and that cybercriminals can not exploit them to inject a miner imperceptibly.
Webmasters should consider adopting the following combination of techniques to make sure that their sites do not serve encryption scripts beyond their awareness:
SRI (Subresource Integrity) is a security mechanism that verifies that the content uploaded on the sites has not been modified by third parties. Here’s how it works. A website owner specifies a hash for a particular script. If this hash and the one provided by the corresponding Content Delivery Network do not match, the SRI function automatically rejects the rogue script.
CSP (Content Security Policy) is a security standard that makes it mandatory for all the scripts of a website to have an SRI hash assigned to them. The merging of SRIs and CSPs prevents the execution of compromised widgets on a Web site and thus interrupts the unauthorized crypto-mining in its tracks.
Notes
There is nothing illegal in the crypto-mining as such. It becomes a crime, however, when someone uses other people’s computers to extract digital coins without their knowledge and consent.
In-browser mining is a good way for website owners to monetize their traffic, but it is also a call for criminals.
As the incidents of BrowseAloud and LiveHelpNow have shown, site widgets are low impact fruits that can be exploited for large-scale cryptojacking.
