Over the weekend, hackers injected thousands of websites—including UK and US government sites—with code that hijacked visitors’ computers to mine cryptocurrency.
The attack, noticed on Sunday by security researcher Scott Helme, was pulled off by compromising a single plugin that was used by all of the affected sites: Browsealoud, a reputable suite of accessibility and translation tools. According to Helme, the plugin was edited by attackers to embed a script that uses a site visitor’s computer to do the complex math that generates new digital coins (in this case, Monero). This process, known as “mining,” can slow down the victim’s computer.
“It could have been a catastrophe, it really could have—that’s not just scaremongering,” Helme told Motherboard in a phone call. “We were exceptionally lucky this was so mild and so quickly found.”
They could have used their access to install a keylogger onto the victim’s computers, for example, or infected them with more invasive malware. “The only limitation of what happened here was the attacker’s imagination,” Helme added.
The cryptocurrency mining script was injected into as many as 4,275 websites, if we assume every site using Browsealoud was compromised (PublicWWW, a site that searches the source code of sites on the web, has a list). The UK’s information commissioner (ICO), UScourts.gov, numerous sites associated with the UK’s National Health Services, and many more.
“The ICO’s website is up and running again following a problem with the Browsealoud feature on Sunday,” a spokesperson for the UK Information Commissioner’s Office told Motherboard in an email. “The website was taken down as a precautionary measure whilst we investigated the incident, which did not involve the access or loss of any personal data. The Browsealoud service has been temporarily removed from the website whilst further work is undertaken.”
The UK National Cyber Security Center, a wing of the GCHQ, released a statement on Sunday saying that it is investigating the matter.
Surreptitious cryptocurrency mining is an increasingly popular method for shady sites or criminals to raise money. Last year, hackers compromised an Argentine internet service provider to embed a mining script on the login page for Starbucks Wi-Fi. The hijacking of thousands of sites at once—and government sites, at that—is a serious escalation in the scope and scale of this kind of cryptocurrency mining.
The script that was embedded through Browsealoud came from a company called Coinhive, which is a leader in website monetization via mining. Coinhive’s script can be used in legitimate ways, but in this case it wasn’t.
TextHelp, the company that makes the Browsealoud plugin, did not immediately respond to Motherboard’s request for comment.
Over the phone, Helme said website administrators should be careful about the third-party content they load on their pages. There are already tools to control what content plugins can load on sites, such as Content Security Policy and Subresource Integrity. “With those combined you have a very robust defense against exactly what this is attacking,” Helme said.
Last year, security researchers at Symantec foretold a looming “arms race” between malicious hackers mining cryptocurrency and the people trying to stop them; today, it seems like that race has really begun.
Get six of our favorite Motherboard stories every day by signing up for our newsletter .