How Hacked Widgets Help Criminals Mine Monero
Covert cryptocurrency mining is shaping up to be the new mainstay of cybercrime. Crooks hack servers, personal computers, and mobile devices and take advantage of the infected hosts’ CPU or GPU to generate virtual coins without victims’ awareness. Even botnets consisting of numerous zombie machines are now used to perpetrate illegal mining activity on a large scale rather than spew out spam or hit online services with DDoS attacks.
This malicious moneymaking vector got a boost with the emergence of in-browser mining scripts, such as Coinhive. The following incidents that took place recently illustrate how serious this issue is becoming and how booby-trapped website widgets play into threat actors’ hands.
BrowseAloud widget hack affects thousands of sites
A massive cryptojacking wave took root on February 11, 2018, exploiting a popular widget called BrowseAloud. The malefactors were able to inject a surreptitious Monero miner into more than 4,200 Internet resources, including high-profile ones like the UK, U.S., and Australian government websites. In the aftermath of this compromise, the malicious script harnessed the processing power of visitors’ machines to mine cryptocurrency behind the scenes.
For the record, BrowseAloud is a tool by Texthelp Ltd. designed to enhance website accessibility for broader audiences via speech, reading and translation features. By adding this widget to sites, webmasters make sure people with dyslexia, visual disorders and poor English skills can participate and use their services to the fullest. Furthermore, the software helps site owners comply with various legal obligations, so no wonder it is widely used across the world and has become hackers’ target.
According to security analysts’ findings, the crooks somehow managed to compromise the jаvascript component of BrowseAloud utility and thus embed an obfuscated Coinhive in-browser miner code into numerous websites using this widget. Some of the notable victims include uscourts.gov, legislation.qld.gov.au, manchester.gov.uk, gmc-uk.gov, and nhsinform.scot. The total count of sites hosting the bad script reached 4,275.
By the way, the official site of the Texthelp vendor had the miner running on it as well. When the compromise was unveiled, the company temporarily took the widget offline to avoid further damage to customers. As of February 15, the breach was reportedly addressed and the service was up and running as usual.
The cryptojacking script was configured to consume visiting computers’ CPU at 40%, probably in order not to get many red flags raised. The attackers’ Coinhive wallet address is known, but as opposed to Bitcoin, the service does not allow viewing how much Monero its wallets hold. Therefore, the amount of cryptocurrency mined by the group behind the BrowseAloud hack remains a mystery.
LiveHelpNow widget exploited for in-browser mining
Another cryptojacking campaign involving a site widget kicked off on Thanksgiving last year. In pursuit of easy gain, threat actors injected the Coinhive miner into one of the jаvascript modules of LiveHelpNow, a popular live chat widget. This widget is widely used by various e-commerce resources, including retail stores like Everlast and Crucial.
The stars aligned for the perpetrators in particular due to upcoming Black Friday and Cyber Monday, when numerous users go to online shops looking for best buys and other deals. Furthermore, it isn’t likely that admins will be closely monitoring their sites for the malicious activity of that sort during the holiday spree.
The Coinhive script hidden in a trojanized copy of LiveHelpNow widget will cause the CPU usage of visiting computers to peak and stay at 100% during the Internet session. Interestingly, the miner was configured to run at random, that is, not all users who went to the compromised websites would join the covert mining rush immediately. In some cases, a page refresh was required for the rogue script to launch. The reason for this selective approach is, arguably, not to attract too much attention to the ongoing cryptojacking wave.
According to source code search engine PublicWWW, the toxic ‘lhnhelpouttab-current.min.js’ script was running on more than 1,400 websites when this campaign took root. There are scarce details available about the source of the breach. This vacuum of evidence has spawned speculations about the hack being an inside job pulled off by one of LiveHelpNow employees. One way or another, it was a well-orchestrated compromise that must have brought the crooks a fair amount of Monero.
How to stay on the safe side
This is a nontrivial question. Cryptojacking is surreptitious by nature, so the only way for end users to spot this type of attack is to monitor their CPU usage – if it is constantly skyrocketing, that’s a red flag. As far as the defenses go, here are a few tips that work proactively:
Install a browser extension that automatically blocks all known jаvascript miners. Some popular add-ons worth their salt include minerBlock and No Coin.
Most adblockers may stop in-browser miners. But mind hackers use all possible ways to bypass adblockers.
Use a reliable Internet security suite with an anti-cryptojacking feature on board.
It is recommended to use a reliable VPN service when connecting to unknown networks as crooks miners often go together with keyloggers and other malware.
Keep your operating system up to date to make sure known vulnerabilities are patched and cybercrooks cannot exploit them to inject a miner imperceptibly.
Webmasters should consider adopting the following combo of techniques to make sure their sites don’t serve cryptojacking scripts beyond their awareness:
SRI (Subresource Integrity) is a security mechanism verifying that the content loaded on sites has not been modified by a third party. Here’s how it works. A website owner specifies a hash for a particular script. If this hash and the one provided by the corresponding Content Delivery Network don’t match, the SRI feature automatically rejects the rogue script.
CSP (Content Security Policy) is a security standard that makes it obligatory for all scripts on a website to have an SRI hash assigned to them. The fusion of SRI and CSP prevents compromised widgets from running on a website and thus stops unauthorized crypto-mining in its tracks.
There is nothing illegal about crypto-mining as such. It becomes a felony, though, when someone uses other people’s computers to mine digital coins without their knowledge and consent. In-browser mining is a good way for website owners to monetize their traffic, but it is also a lure for criminals. As the BrowseAloud and LiveHelpNow incidents demonstrated, site widgets are low-hanging fruit that can be exploited for cryptojacking on a massive scale.
The author, David Balaban, is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation.