Government websites fall prey to a plugin injected with a digital coin miner

government monero

Thousands of websites relying on the Browsealoud plugin developed by U.K.-based Texthelp recently fell prey to a hack that secretly ran a cryptocurrency mining script in the background of visiting PCs. Websites use this specific plugin for visually impaired visitors so they can hear content, but on Sunday, February 11, someone managed to alter the plugin’s code to run Coinhive’s controversial JavaScript-based Monero digital currency miner. 

Because it’s based on JavaScript, administrators can easily insert Coinhive’s miner into a webpage. It runs in the background while visitors browse the website, silently mining digital coins using their PC’s processor. The CPU use can be extremely apparent if you know what’s going on, otherwise, the average web surfer may simply shrug off the slow performance as typical Windows or web-based processes slowing down the machine. The mining stops once web surfers leave the offending page. 

The altered Browsealoud plugin began mining Monero Sunday morning on more than 4,200 websites spanning the globe, including governments, organizations, and schools. Among them was the State of Indiana, the U.S. court information portal, the City University of New York, the U.K.’s National Health Service, the U.K.’s Student Loans Company, and many more. 

Most websites typically rely on plugins to pull content and tools from third-party developers. These can include translators, shopping baskets and ecommerce, menus, and so on. But the discovery of Coinhive’s miner in Browsealoud points to the possibility that if a hacker could gain access to one plugin for malicious purposes, thousands of websites could suffer. 

Plugin content typically resides on a remote server and sent to the target web page using a secure connection. The problem is that there is no real system to authenticate the actual content. Thus, someone with access to the content could easily inject malicious code, and the resulting websites using the plugin would serve up the malicious content despite registering the server as secure. 

One method to fix this problem is called Subresource Integrity. It comprises of two HTML elements with an “integrity” attribute that relies on a cryptographic hash. If the number provided to the website doesn’t match the number associated by the content, then the website can catch and block the malicious code. Unfortunately, this isn’t a widely used technique, but the recent issue with Browsealoud may convince more websites to utilize the Subresource Integrity method. 

Coinhive’s miner was reportedly only active in the Browsealoud plugin for a few hours before Texthelp pulled the plug. And although the outcome was apparently only to generate digital coin, the company still considers the hack as a criminal act. 

“Texthelp has in place continuous automated security tests for Browsealoud — these tests detected the modified file and as a result, the product was taken offline,” Texthelp Chief Technical Officer Martin McKay said in a statement. “This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.” 

Texthelp is currently working with the National Crime Agency and the National Cyber Security Agency to hunt down the hacker(s). 

Deals

This one-day Skullcandy sale gets you wireless earbuds for under $30

Today only, you can save 40 percent on wireless earbuds, noise-canceling headphones, and classic earbuds direct from the Skullcandy website. If you're hoping to get a pair of headphones before the holidays arrive, now is the time.
Digital Trends Live

Digital Trends Live: Amazon Go expansions, the robocall onslaught, more

On this episode of Digital Trends' live morning show, Digital Trends Live, hosts Greg Nibler and Jeremy Kaplan explored the news of the day, including Amazon Go's potential expansion, the robocall onslaught, and more.
Digital Trends Live

Jobbatical’s Lauren Proctor discusses the future of jobs for tech experts

Today on Digital Trends Live we had Jobbatical's Lauren Proctor to talk about the future trends for finding tech jobs abroad, including a Digital Nomad Visa, which allows tech experts to travel from country to country much easier.
Home Theater

Spotify Wrapped reveals rad facts about your musical tastes and habits

The website may be a bit tough to find at first, but Spotify Wrapped tells you awesome facts about your year in listening. From how many minutes you spent jamming out to your top artists, and beyond, there's a lot to dig into.
Computing

Windows 10 user activity logs are sent to Microsoft despite users opting out

Windows 10 Privacy settings may not be enough to stop PCs from releasing user activity data to Microsoft. Users discovered that opting out of having their data sent to Microsoft does little to prevent it from being released.
Computing

Intel's discrete graphics will be called 'Xe,' IGP gets Adapative Sync next year

Intel has officially dubbed its discrete graphics product Intel Xe, and the company also provided details about its Gen11 IGP. The latter will include adaptive sync support and will arrive in 2019.
Computing

Intel answers Qualcomm's new PC processors by pairing Core and Atom in 'Foveros'

Intel has announced a new packaging technology called 'Foveros' that makes it easier for the company to place multiple chips together on one package. That includes chips based on different Intel architectures, like Core and Atom.
Computing

Razer’s classic DeathAdder Elite gaming mouse drops to $40 on Amazon

If you're looking to pick up a new gaming mouse for the holidays, Amazon has you covered with this great deal on the classic Razer DeathAdder Elite gaming mouse with customizable buttons, RGB lighting, and a 16,000 DPI optical sensor.
Computing

Intel's dedicated GPU is not far off -- here's what we know

Did you hear? Intel is working on a dedicated graphics card. It's called Arctic Sound and though we don't know a lot about it, we know that Intel has some ex-AMD Radeon graphics engineers developing it.
Computing

Firefox 64 helps keep your numerous tabs under control

Mozilla officially launched Firefox 64 by placing new features into the laps of its users including new tab management abilities, intelligent suggestions, and a task manager for keeping Firefox's power consumption under control.
Computing

Here's our guide to how to charge your laptop using a USB-C cable

Charging via USB-C is a great way to power up your laptop. It only takes one cable and you can use the same one for data as well as power -- perfect for new devices with limited port options.
Computing

Apple MacBook Air vs. Microsoft Surface Pro 6

The MacBook Air was updated with more contemporary components and a more modern design, but is that enough to compete with standouts like Microsoft's Surface Pro 6 detachable tablet?
Computing

Installing fonts in Windows 10 is quick and easy -- just follow these steps

Want to know how to install fonts in Windows 10? Here's our guide on two easy ways to get the job done, no matter how many you want to add to your existing catalog, plus instructions for deleting fonts.
Computing

Email take-backsies! Gmail's unsend feature is one of its best

Everyone has sent a message they wish they could take back. How great would it be if you could undo that impulsive email? If you're a Gmail user, you can. Here's how to recall an email in Gmail.