How Hacked Widgets Help Criminals Mine Monero

How Hacked Widgets Help Criminals Mine Monero

Covert cryptocurrency mining is shaping up to be the new mainstay of cybercrime. Crooks hack servers, personal computers, and mobile devices and take advantage of the infected hosts’ CPU or GPU to generate virtual coins without victims’ awareness. Even botnets consisting of numerous zombie machines are now used to perpetrate illegal mining activity on a large scale rather than spew out spam or hit online services with DDoS attacks.

This malicious moneymaking vector got a boost with the emergence of in-browser mining scripts, such as Coinhive. The following incidents that took place recently illustrate how serious this issue is becoming and how booby-trapped website widgets play into threat actors’ hands.

BrowseAloud widget hack affects thousands of sites

A massive cryptojacking wave took root on February 11, 2018, exploiting a popular widget called BrowseAloud. The malefactors were able to inject a surreptitious Monero miner into more than 4,200 Internet resources, including high-profile ones like the UK, U.S., and Australian government websites. In the aftermath of this compromise, the malicious script harnessed the processing power of visitors’ machines to mine cryptocurrency behind the scenes.

For the record, BrowseAloud is a tool by Texthelp Ltd. designed to enhance website accessibility for broader audiences via speech, reading and translation features. By adding this widget to sites, webmasters make sure people with dyslexia, visual disorders and poor English skills can participate and use their services to the fullest. Furthermore, the software helps site owners comply with various legal obligations, so no wonder it is widely used across the world and has become hackers’ target.

According to security analysts’ findings, the crooks somehow managed to compromise the jаvascript component of BrowseAloud utility and thus embed an obfuscated Coinhive in-browser miner code into numerous websites using this widget. Some of the notable victims include uscourts.gov, legislation.qld.gov.au, manchester.gov.uk, gmc-uk.gov, and nhsinform.scot. The total count of sites hosting the bad script reached 4,275.

By the way, the official site of the Texthelp vendor had the miner running on it as well. When the compromise was unveiled, the company temporarily took the widget offline to avoid further damage to customers. As of February 15, the breach was reportedly addressed and the service was up and running as usual.

The cryptojacking script was configured to consume visiting computers’ CPU at 40%, probably in order not to get many red flags raised. The attackers’ Coinhive wallet address is known, but as opposed to Bitcoin, the service does not allow viewing how much Monero its wallets hold. Therefore, the amount of cryptocurrency mined by the group behind the BrowseAloud hack remains a mystery.

LiveHelpNow widget exploited for in-browser mining

Another cryptojacking campaign involving a site widget kicked off on Thanksgiving last year. In pursuit of easy gain, threat actors injected the Coinhive miner into one of the jаvascript modules of LiveHelpNow, a popular live chat widget. This widget is widely used by various e-commerce resources, including retail stores like Everlast and Crucial.

The stars aligned for the perpetrators in particular due to upcoming Black Friday and Cyber Monday, when numerous users go to online shops looking for best buys and other deals. Furthermore, it isn’t likely that admins will be closely monitoring their sites for the malicious activity of that sort during the holiday spree.

The Coinhive script hidden in a trojanized copy of LiveHelpNow widget will cause the CPU usage of visiting computers to peak and stay at 100% during the Internet session. Interestingly, the miner was configured to run at random, that is, not all users who went to the compromised websites would join the covert mining rush immediately. In some cases, a page refresh was required for the rogue script to launch. The reason for this selective approach is, arguably, not to attract too much attention to the ongoing cryptojacking wave.

According to source code search engine PublicWWW, the toxic ‘lhnhelpouttab-current.min.js’ script was running on more than 1,400 websites when this campaign took root. There are scarce details available about the source of the breach. This vacuum of evidence has spawned speculations about the hack being an inside job pulled off by one of LiveHelpNow employees. One way or another, it was a well-orchestrated compromise that must have brought the crooks a fair amount of Monero.

How to stay on the safe side

This is a nontrivial question. Cryptojacking is surreptitious by nature, so the only way for end users to spot this type of attack is to monitor their CPU usage – if it is constantly skyrocketing, that’s a red flag. As far as the defenses go, here are a few tips that work proactively:

Install a browser extension that automatically blocks all known jаvascript miners. Some popular add-ons worth their salt include minerBlock and No Coin.
Most adblockers may stop in-browser miners. But mind hackers use all possible ways to bypass adblockers.
Use a reliable Internet security suite with an anti-cryptojacking feature on board.
It is recommended to use a reliable VPN service when connecting to unknown networks as crooks miners often go together with keyloggers and other malware.
Keep your operating system up to date to make sure known vulnerabilities are patched and cybercrooks cannot exploit them to inject a miner imperceptibly.

Webmasters should consider adopting the following combo of techniques to make sure their sites don’t serve cryptojacking scripts beyond their awareness:

SRI (Subresource Integrity) is a security mechanism verifying that the content loaded on sites has not been modified by a third party. Here’s how it works. A website owner specifies a hash for a particular script. If this hash and the one provided by the corresponding Content Delivery Network don’t match, the SRI feature automatically rejects the rogue script.
CSP (Content Security Policy) is a security standard that makes it obligatory for all scripts on a website to have an SRI hash assigned to them. The fusion of SRI and CSP prevents compromised widgets from running on a website and thus stops unauthorized crypto-mining in its tracks.

Bottom line

There is nothing illegal about crypto-mining as such. It becomes a felony, though, when someone uses other people’s computers to mine digital coins without their knowledge and consent. In-browser mining is a good way for website owners to monetize their traffic, but it is also a lure for criminals. As the BrowseAloud and LiveHelpNow incidents demonstrated, site widgets are low-hanging fruit that can be exploited for cryptojacking on a massive scale.

The author, David Balaban, is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. 

04.03.2018 / 15:00 146
Louisiana Officials Probe Staffers for Bitcoin Mining Louisiana Officials Probe Staffers for
The attorney general of the U.S. state of Louisiana is reportedly investigating a group of former staffers for using official resources to mine
'Bitcoin Private' Is Here, But What's It Worth? 'Bitcoin Private' Is Here, But What's
A fork of a fork of a fork? With Friday's birth of a new coin called "bitcoin private," the cryptocurrency space just keeps getting more meta. The
Proof of Stake Is Coming, and Will Be a Game Changer Proof of Stake Is Coming, and Will Be a
Proof of Work mining (the protocol underpinning Bitcoin and many others) uses as much energy as the nation Denmark. It’s a costly and lengthy
MyEtherWallet Co-Founder Rebrands Twitter Page, Launches Rival Venture MyEtherWallet Co-Founder Rebrands
Popular Ethereum wallet service MyEtherWallet (MEW) recently became the center of the cryptocurrency community’s latest controversy, as co-founder
Dark Web Users Ditch Bitcoin for Litecoin Due to Costly, Slow Transactions Dark Web Users Ditch Bitcoin for
Slow transaction times and high fees are causing dark web users to favor Litecoin and, to a lesser extent, Dash, over bitcoin. A new report by
Louisiana Attorney General Probes Own IT Dept Over Bitcoin Mining Allegations Louisiana Attorney General Probes Own
The Louisiana Attorney General, Jeff Landry, has opened a criminal investigation into his own office’s information technology division, including its
Comments (0)
Add a comment
Comment on