Latest in Gear

Image credit:

Government websites fall prey to cryptocurrency mining hijack

The US, UK, Australia and other countries were affected.
Jon Fingas, @jonfingas
February 11, 2018
Share
Tweet
Share

Sponsored Links

Chesnot/Getty Images

It's not just private companies' websites falling victim to cryptocurrency mining hijacks. Security consultant Scott Helme and the Register have discovered that intruders compromised over 4,200 sites with Coinhive's notorious Monero miner, many of them government websites from around the world. This includes the US court info system, the UK's National Health Service and Australian legislatures, among others. The intruders spread their JavaScript code by modifying an accessibility plugin for the blind, Texthelp's Browsealoud, to inject the miner wherever Browsealoud was in use.

The mining only took place for several hours on February 11th before Texthelp disabled the plugin to investigate. Government sites like the UK's Information Commissioner's Office also took pages down in response. As with most of these injections, your system wasn't facing a security risk -- you would have just noticed your system bogging down while searching for government info. The mining goes away the moment you visit another page or close the browser tab. The biggest hassle was for the site operators, who are now discovering that their sites are vulnerable to intruders slipping in rogue code without verification.

It's not certain who's behind the attempt, but these hijacks tend to be the work of criminals hoping to make a fast profit.

The big problem: this might continue to happen for a while. Although antivirus tools can catch Coinhive, a more definitive solution would be to use a fingerprinting technique (subresource integrity) that verifies of outside code and blocks any modifications. And there's no indication that many websites, whether government or private, are in a rush to implement it.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Engadget's 2020 Back-to-School Guide

Engadget's 2020 Back-to-School Guide

View
Disney has no idea what it's doing with 'Mulan'

Disney has no idea what it's doing with 'Mulan'

View
Instagram 'bug' heavily favored Trump content over Biden for months

Instagram 'bug' heavily favored Trump content over Biden for months

View
Samsung will offer an Xbox Game Pass Bundle with the Note 20

Samsung will offer an Xbox Game Pass Bundle with the Note 20

View
What you need to know about the new Galaxy Note 20 and Note 20 Ultra

What you need to know about the new Galaxy Note 20 and Note 20 Ultra

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr