Published: Thu, February 15, 2018
Science | By

Malware mining cryptocurrency hits government sites

Malware mining cryptocurrency hits government sites

CoinHive is one of the most blocked piece of software on the web with over 130 million blocks every week, according to Malwarebytes, the anti-malware firm, and the result of adding it to the code meant that every site hosting the plugin and those sites' visitor were turned into cryptocurrency miners.

According to Helme, webmasters should try a technique called SRI (subresource integrity), which uses a fingerprinting approach to block altered code from being pulled into webpages, nipping any potential attacks in the bud. Now, it's been discovered that thousands of sites, including many from the US, UK, and the Australian governments, were infected with the same Monero miner from Coinhive.

There are no indications so far of any data being compromised on any of the websites that were infected. They included the Victoria parliament, the Queensland Civil and Administrative Tribunal, the Queensland ombudsman, the Queensland Community Legal Centre, and the Queensland legislation website.

Coinhive's script was able to run across all of these sites thanks to a piece of software called BrowseAloud. The plug-in's maker, Texthelp confirmed the incident and said that it was affected for about four hours before being taken down.

More than 4000 sites were briefly made into cryptocurrency miners after a popular website plugin was hacked. The affected websites included U.S. and United Kingdom government websites, along with the National Health Service (NHS), and some university websites such as that of the City University of New York (CUNY). The plugin authors took their own website down while they tried to resolve the problem.

Malmo University and Lund University in Sweden, among other Swedish education institutions, were also affected by the hack. "There are easy ways to make sure they don't do that".


The ICO subsequently closed its website when the issue was revealed, the report indicates.

The office is a non-departmental government body which is sponsored by the Department of Digital, Culture, Media and Sport and is responsible for providing local government organisations with guidance on the upcoming general data protection regulation (GDPR). "We have taken our website down as a precautionary measure whilst this is done".

The statement also said no other Texthelp products have been affected by the mining malware.

'The company has examined the affected file thoroughly and can confirm that it did not redirect any data: it simply used the computer's CPUs to attempt to generate cryptocurrency.

Helme argued that mitigating the attack only requires a small code change to how the Browsealoud script is loaded. It is unclear whether it was an employee who thought it was a good idea to stealthily make some money using client websites (wouldn't be the first time this has happened; Wccftech itself became a victim a year ago by a different company), or if an attacker managed to compromise it before hijacking websites.

Like this: