New Cryptomining Attacks Force Re-evaluation of Trust in Websites

February 26, 2018  |  By Panagiotis Kintis

Recently, several thousand websites were disrupted and forced to mine cryptocurrency for attackers -- made possible due to a breach in a third-party JavaScript library. Using the plugin Browseraloud by Texthelp, which aids website browsing for blind or visually impaired people, websites were compromised and malicious JavaScript was added. A variety of government and other critical infrastructure websites were using the plugin to assist visitors. As a consequence, visitors to those websites later found that their computers were forced to mine Monero cryptocurrency on behalf of the attackers, even if the visitor did not rely upon Browseraloud in order to view the website. The attack was first discovered by security consultant Scott Helme and mitigated within a few hours.

IISP Analyst Panagiotis Kintis: "Last month, Stone Tillotson wrote an article discussing how cybercriminals are leaving Bitcoin in an attempt to adopt the more private Monero currency. At the same time, "cryptojacking" or "coinjacking" attacks (which refer to an attempt by a website to use a visitor's computer to mine cryptocurrency) have been on the rise. In fact, there have been several websites, which usually served controversial content, that have been found to exhibit such behavior. What makes the attack with Browseraloud particularly interesting is the attackers' decision to limit themselves to cryptocurrency mining. The attack resembles cross-site scripting (XSS) attacks, which give the attacker the power to do virtually anything to the user's browser. In XSS attacks, a benign website is forced to provide a malicious piece of code that is run on the client side. XSS attacks have been used to deliver malware, steal users' private data, and deploy botnets. Surprisingly, this time, the attackers appear to have deviated from well-known practices and only exploit clients for Monero mining.

The websites affected by the attack -- through the Browseraloud plugin -- included the City University of New York, Indiana's government website (in.gov), United States Courts (uscourts.gov), Washington's Metropolitan Area Transit Authority (wmata.com), the National Health Service in the UK (nhs.uk), and many other popular destinations. A list of more than 4,000 websites that include the Browseraloud plugin can be found here. The very high popularity of the affected websites shows that the impact and the magnitude of the attack was significant.

One might think, "So what if they used my computer to harvest some coins?" Unfortunately, when government and critical infrastructure websites are being weaponized by adversaries, mining cryptocurrency can only be the beginning. The discussion would have been much different if the websites were deploying new ransomware; then, it would have been everywhere in the news. Could this be a new not-so-invasive attack that can still fund illicit activities but stay under the "mainstream" radar? They most definitely will not use the money to fund education and schools.

In any case, using the Internet nowadays can be troublesome with new headaches from attacks such as this. Users can protect themselves by utilizing browser extensions and plugins that stop scripts. For myself, I use AdBlock (with the "Cryptocurrency (Bitcoin) Mining Protection List" filter on), JS Blocker, and uBlock in Safari. In Chrome, I have AdBlock and ScriptSafe installed. My Firefox has AdBlock and Policy Control running. My suggestion is to use something similar to keep adversaries away from your computers.

It used to be that 'shady' websites might be the ones that cause harm. Now, we see that the adversaries are brave enough to compromise some of the most trusted websites online. We are living in an era where users are actively trained to not click links they do not know or open email they did not expect. However, third party libraries, plugins, and resources can be as harmful. Even worse, visitors are not aware of a website’s dependencies and cannot predict the outcome when they point their browser to a trusted website. We, as a security community, should identify means to create a more robust trust model, through which verification and validation will be automatic, correct, and transparent to the end user."

 

For further reading‚Äč

 

 
More by the author(s)