More Than 4,000 Government Websites Infected With Covert Cryptocurrency Miner

from the whoops-a-daisy dept

The rise of cryptocurrency mining software like Coinhive has been a decidedly double-edged sword. While many websites have begun exploring cryptocurrency mining as a way to generate some additional revenue, several have run into problems if they fail to warn visitors that their CPU cycles are being co-opted in such a fashion. That has resulted in numerous websites like The Pirate Bay being forced to back away from the software after poor implementation (and zero transparency) resulted in frustrated users who say the software gobbled upwards of 85% of their available CPU processing power without their knowledge or consent.

But websites that don't inform users this mining is happening are just one part of an emerging problem. Hackers have also taken to using malware to embed the mining software into websites whose owners aren't aware that their sites have been hijacked to make somebody else an extra buck. Politifact was one of several websites that recently had to admit its website was compromised with cryptocurrency-mining malware without their knowledge. Showtime was also forced to acknowledge (barely) that websites on two different Showtime domains had been compromised and infected with Coinhive-embedded malware.

While Bloomberg this week proclaimed that governments should really get behind this whole cryptocurrency mining thing, the reality is that numerous governments already have -- just not in the way they might have intended. Security researcher Scott Helme this week discovered that more than 4,000 U.S. and UK government websites -- including the US court system website -- have been infected with cryptocurrency mining malware, a number that's sure to only balloon.

As Helme notes, attackers don't need to even attack each website individually, as they've found a way to compromise shared resources like Text Help, whose modified script files were then loaded by thousands of websites at a pop:

Fortunately this attack isn't particularly hard to neutralize, with a tiny modification to the share script being able to nip similar, future attacks in the bud. But Helme also notes that this entire kerfuffle could have been substantially worse:

Ultimately it seems like these kinds of attacks should be easy to avoid once site administrators and governments wise up to the rising threat. That said, reports by cybersecurity firm CrowdStrike have suggested things will get a little worse before they get better. Again though, the malware angle is just one conversation we need to be having. How sites can responsibly and transparently implement miners as an alternative revenue stream is going to be something we'll be talking about for a while, as Salon made evident this week as the first website to offer the option as an alternative to traditional advertising.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 13 Feb 2018 @ 12:27pm

    Really like the idea of using some cycles to browse ad free. Just as long as I know about it before it starts.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Feb 2018 @ 12:51pm

      Re:

      If it was just a few cycles or antebellum I could control, maybe. However it won't be just a few.

      reply to this | link to this | view in chronology ]

    • identicon
      Lawrence D’Oliveiro, 13 Feb 2018 @ 1:59pm

      Re: Really like the idea of using some cycles to browse ad free. Just as long as I know about it before it starts.

      This may very well be the new business model. You have four or eight or twelve cores, which probably spend most of their time sitting idle. If a site asks (nicely!) to use one in return for providing their services ... could this become the new form of barter economy?

      I can see Governments objecting because they can’t figure out how to tax it.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Feb 2018 @ 2:09pm

        Re: Re: Really like the idea of using some cycles to browse ad free. Just as long as I know about it before it starts.

        It is theft of service.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Feb 2018 @ 9:41am

      Re:

      Really like the idea of using some cycles to browse ad free.

      Install an adblocker. It needs some cycles to detect the ads, but probably less than rendering the ads would use.

      reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 13 Feb 2018 @ 12:46pm

    Yeah, i'll take the ads.

    reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 13 Feb 2018 @ 1:17pm

    Proactive action

    Would it be out of character for governments to now do something effective about these kinds of intrusions? Yes, yes it would.

    reply to this | link to this | view in chronology ]

    • identicon
      Christenson, 13 Feb 2018 @ 1:54pm

      Re: Proactive action

      The first problem is that effective, complete control over a computer is rapidly becoming impossible. That fundamental, unsolved problem of malware infections means that even effective tribal action is nearly impossible.

      Eventually, web browsers will need to limit the CPU "bleed" they give to websites so that the value of an undetected coin miner will be too small to amount to much.

      reply to this | link to this | view in chronology ]

      • identicon
        Lawrence D’Oliveiro, 13 Feb 2018 @ 1:56pm

        Re: The first problem is that effective, complete control over a computer is rapidly becoming impossible

        With Linux systems, it still remains possible.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 13 Feb 2018 @ 2:10pm

          Re: Re: The first problem is that effective, complete control over a computer is rapidly becoming impossible

          Nice browser

          reply to this | link to this | view in chronology ]

        • identicon
          Christenson, 13 Feb 2018 @ 7:54pm

          Re: Re: The first problem is that effective, complete control over a computer is rapidly becoming impossible

          Truly...how much of your linux system have you audited? And what about the "pre-boot environment"?

          (Not that the problem isn't at least an order of magnitude worse coming out of Microsoft -- 30million lines of Kernel versus 1 million lines of Kernel, and legal hazards if you should analyze what comes from Redmond)

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 14 Feb 2018 @ 9:51am

            Re: Re: Re: The first problem is that effective, complete control over a computer is rapidly becoming impossible

            Truly...how much of your linux system have you audited?

            A "modern" browser is actually bigger than most operating systems. Building Chromium or Webkit will take longer than everything they depend on put together (OS kernel, graphics stack etc.).

            reply to this | link to this | view in chronology ]

            • identicon
              Lawrence D’Oliveiro, 14 Feb 2018 @ 10:58am

              Re: A "modern" browser is actually bigger than most operating systems

              There’s always Lynx.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 14 Feb 2018 @ 3:41pm

                Re: Re: A "modern" browser is actually bigger than most operating systems

                ... and links, elinks, and w3m, and Emacs must have a few. I sometimes use them, and like them, but most sites have way too much "junk" which makes the real content hard to find. Out of curiosity, I just tried Techdirt in Lynx, and it's really good: the first link goes to a "Lite" version, which is perfect, and even the normal version isn't bad (two pages of chuffah, then the story and comments, then some trailing stuff).

                But CSS, images, and videos can make a site better, which I rarely say of Javascript (archive.org's Internet Arcade is one of those rare exceptions, though I'll personally still take a native emulator).

                reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Feb 2018 @ 9:49am

      Re: Proactive action

      Would it be out of character for governments to now do something effective about these kinds of intrusions?

      The obvious action would be to stop putting third-party scripts on their own sites. Maybe unless they lock it via cryptographic hashes so that sites can't change the scripts from under them... but even then there are privacy concerns.

      reply to this | link to this | view in chronology ]

  • icon
    JMM (profile), 13 Feb 2018 @ 1:58pm

    Profilactic ad-blocking

    So, it's come to a point where I run uBlock origin and I have it set up to block all 3rd-party scripts (and I probably should block all 1st-party scripts and allow them on a per-site base) not because of the ads anymore, but because I cannot trust the web as it stands today.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Feb 2018 @ 3:29pm

    Javascript is considered harmful. Thank you Techdirt for showing that a site can thrive without it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Feb 2018 @ 6:50pm

    Sound more like 4000 government websites (aka: "the government") trying to usurp cryptocurrency using a bad cover and even worse pr via techdirt.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Feb 2018 @ 9:44am

    Not "malware"

    It's not "malware" just because you don't like it. There's no evidence it was intended to harm anyone, and it probably didn't (except for reduction of battery life, but lots of sites run CPU-wasting Javascript). It didn't bypass any browser security controls, collect passwords, or anything like that.

    reply to this | link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 14 Feb 2018 @ 2:00pm

      Re: Not "malware"

      It was injected into servers where it did not belong. That's malware. Whether it was delivered specifically by malware dropper or placed on there server manually is irrelevant.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Feb 2018 @ 3:26pm

        Re: Re: Not "malware"

        It was injected into servers where it did not belong. That's malware.

        1) That's an unusual definition of malware. By that logic, Windows is malware because the computer I bought came with Windows when I didn't want it. "Mal" in this case is an attribute of the person who dropped it, not the software itself.

        2) We don't know that anything was injected. The government was allowing third-parties to decide what code to send to users (and didn't use subresource integrity to prevent changes), and one of them started to send this mining code. They've so far declined to explain what happened; they may have intentionally decided to enable this, to make some extra cash.

        reply to this | link to this | view in chronology ]

        • identicon
          Lawrence D’Oliveiro, 14 Feb 2018 @ 8:38pm

          Re: By that logic, Windows is malware because the computer I bought came with Windows when I didn't want it.

          You said it, we didn’t.

          reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Close

Email This

This feature is only available to registered users. Register or sign in to use it.