Unwitting ‘miners’ earn crims cash
NZ government and private sites also served up malicious code
Over the last few days, visitors to thousands of websites have unwittingly earned criminals money, by running software that generates virtual currency just quietly.
Several government sites, including that of the United Kingdom Information Commissioner’s Office, planted malicious code on visitors’ computers. That’s the official watchdog whose job it is to safeguard users’ digital information, and they dished out malicious code on every page on their site.
A quick scan using a site source code search engine showed that New Zealand government and private organisation sites too serve up malicious code.
That’s alarming, and the attacks sparked a warning to users and site administrators from Britain’s National Cyber Security Centre, run by the Government Communications Headquarters signals intelligence spooks, that everyone needs to be careful out there.
NCSC called the attack cryptojacking, but it should really be named script-jacking. Someone swapped out the legit Browsealoud Javascript library which is used to add accessibility to websites for a malicious variant.
The malicious Browsealoud script “mines” or solves mathematical problems to generate Monero virtual currency units; in other words, the miscreants use your computing power, and your electricity, to make money.
While in this case the damage was limited to increased power usage — which might have shortened battery life on laptops — it could’ve been much, much worse.
Javascript powers much of the worldwide web, and it’s a very powerful programming language.
If an attacker knows what s/he is doing with Javascript code, it’s possible to do a vast array of bad things with users often having no idea what’s happening.
There’s even been Javascript proof of concept attacks written to exploit the very low-level Meltdown and Spectre security vulnerabilities that plague Intel and AMD processors (so please remember to update your browsers to the latest, patched versions).
However, at any given time, there will be vulnerable systems out there, so this problem isn’t going to go away as the attackers have financial motives to spread malware.
The reason we’re in this situation is the same old story of adding features and allowing anyone on the internet to do whatever they like with them, and then going “oops, we should’ve thought of security as well” after masses of computers are infected.
Yes, there are technical security measures including using digitally signed code to prevent a compromised variety from running and doing damage. Even then, that so many sites served up the compromised code shows administrators don’t understand how to make their sites secure for users.
That has to and will change, as there will be consequences for failing to take precautions to keep web visitors safe.
If your business has an online presence, be very careful with what is served up to users.
Audit the site and the code on it, to understand what it does. If you can’t do it yourself, pay someone who knows how to update and secure things for you. This isn’t even new advice, so please take heed of it now.