Websites compromised to generate money

generate money by cryptomining“Wait, what?!?!?? Websites can generate money? I’ve got a website. What do I have to do to get my hands on some of that lovely cash?”

Calm yourself, it’s not the website doing the money generation and you are not the beneficiary. The bad guys are! 😨

Last weekend a security researcher called Scott Helme noticed that when he visited some government websites, the processor usage on his machine would suddenly spike. If he went to a normal site (like YouTube) the processor usage would be more normal. Some of the sites that were shown to cause this spike in processor usage were:

  • The United States Court information portal www.uscourts.gov
  • The UK’s Student Loans Company www.slc.co.uk
  • The UK’s data protection body, The Information Commissioner’s Office www.ico.org.uk
  • The Financial Ombudsman Service www.financial-ombudsman.org.uk
  • Also some of the UK NHS services

Then some detective work revealed that these sites had one thing in common. They were all WordPress sites, but not only that, they all used a specific plug-in called BrowseAloud. This plug-in, created by a company called Texthelp, can be used by vision impaired people. It will speak the text on webpages to such individuals. There were over 4,000 sites shown to be affected by this compromise.

So what happened was, the evil doers compromised the plug-in software. When a web user browsed to an affected website and opened it in their browser, even without asking for the page to be read out to them, the plug-in would execute code which would “mine for monero cryptocurrency” or in normal language, it would generate money by using the web users processing power to carry out the complex calculations needed to create the cryptocurrency.

You might not think this is a big deal, but it is. Somebody is doing something illegal and using your machine to help them. It’s not your fault, but it is something to be concerned about. What if, instead of having plug-in execute code to generate money, that they used the processing power of your machine to send spam e-mail or target a particular web site to take it offline?

In fairness to Texthelp, as soon as they became aware of the issue, they took the plug-in offline until they resolved all issues with it. This kind of incident is similar to the Petya/NotPetya Ransomware outbreak last year, in that the software that is in use was compromised at it’s source (also known as a supply-chain attack).

It’s hard to protect against these types of incidents, particularly where you are browsing a reputable website, which might be using a plug-in that has been compromised. As always I would suggest using an updated anti-virus, keep your software fully updated and also use an ad-blocking extension/add-in on your browser.