Thousands of sites using the same accessibility tool serve up a cryptocurrency miner

  • Liam Tung (CSO Online)
  • 13 February, 2018 02:55

Over 4,000 websites, many of them government portals in Australia, the US, the UK, Canada and and Sweden, exposed visitors to a cryptocurrency miner on Sunday. 

To cast a wide net someone attacked a third-party JavaScript library sold by TextHelp, a firm that provides accessibility software called Browsealoud that converts text to audio. 

UK security researcher Scott Helme discovered the issue after an antivirus program flagged an alert when visiting the website of the UK’s privacy watchdog, the Information Commissioners Office (ICO). 

Helme initially thought the ICO’s website was compromised, however it turned out the cryptocurrency miner was appearing on the site when it loaded the Browsealoud JavaScript library from Text Help. Someone had altered the script to load a the CoinHive cryptominer on any site that loaded Browsealoud. 

While CoinHive, which mines the Bitcoin alternative Monero from a browser, can in theory be used as a legitimate alternative to ad-based revenue for websites, it has been widely used for more nefarious purposes, for example on compromised websites and malicious mobile apps. 

Monero is computationally easier to mine than Bitcoin but also followed the better known cryptocurrency's rise in value in recent months. The combination made 'drive-by' website attacks on PCs and mobile devices more feasible and lucrative. Security from Malwarebytes reported Tuesday that millions of Android devices were bumped across to a page that hijacked CPUs to mine Monero from devices whose owners had never granted permission for the task. Attackers can opt to mine currency stealthily by using a portion of a CPU's capacity or use 100 percent and risk being noticed. Unlike other malware, cryptomining attacks generally don't seek to capture sensitive data from targets.       

Other sites affected by the compromised Browsealoud library included the websites of US Courts, the NHS, the US General Medical Council, and a number of Australian government websites, including the Queensland Civil and Administrative Tribunal's site and Victoria Parliament's site. A full list of over 4000 sites hat were loading the infected file can be seen here.     

Text Help on Sunday suspended the service a few hours after it was notified by Helme and has since issued a statement that the compromised product was only online for four hours. The service will remain offline until Tuesday.  

“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.  This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action,” said Martin McKay, Text Help’s CTO said in a statement

"Texthelp can report that no customer data has been accessed or lost. The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers CPUs to attempt to generate cryptocurrency.  The exploit was active for a period of four hours on Sunday. 

Helme notes that website operators can prevent a repeat of this type of attack by adapting the script that calls the Browsealoud script to ensure that browsers won’t load a file if it has been modified.