Cryptocurrency mining concept art

Government websites infected with cryptocurrency mining script

Image credit: Dreamstime

Scripts that ‘hijack’ a visitor’s CPU to mine cryptocurrency have been found hidden on UK and other government websites.

Cryptocurreny mining is the process of solving complex mathematical problems to verify cryptocurrency transactions and add them to a public ledger (blockchain). While solving these problems reaps financial rewards in the form of newly issued cryptocurrency tokens, it is highly computationally expensive, often stacking up high electricity bills.

A cryptomining script uses a website visitor’s CPU to mine cryptocurrency, slowing down their computers and adding to their electricity bills, often without them noticing.

In September 2017, a cryptomining Javascript, Coinhive, was launched, describing itself as an alternative to advertising. Coinhive uses a visitor’s CPU to mine Monero, a digital currency.

The script rapidly spread to an estimated 500 million internet users, with 2.2 per cent of Alexa’s top 100,000 websites containing the code less than a month after it was released.

While previously it was thought that these scripts were mostly associated with shady websites, such as The Pirate Bay or adult content websites, more recently they have been discovered worming their way into YouTube adverts using Google’s DoubleClick ad delivery platform.

Now, The Register and cybersecurity consultant Scott Helme have found that a further 4200 websites have been infected with Coinhive, many of which are government websites. The UK, US and Australian governments are among those affected.

In the UK, affected pages include those belonging to the NHS, the Financial Ombudsman Service, the Information Commissioner’s Office (ICO) , the Student Loans Company and some local council websites. The US courts information portal was also affected.

Helme discovered the infestation after a friend messaged him to say that their antivirus software had flagged up an issue on a UK government website.

The script was spread through the modification of a popular plugin, Texthelp’s BrowseAloud, which helps people with visual impairments, dyslexia or other complications to browse the internet by reading text aloud. The modification caused Coinhive to be injected where BrowseAloud was in use, with the result that a visitor’s CPU would be used to mine Monero whenever the affected pages were open.

Texthelp disabled BrowseAloud and took down its website several hours after the mining had been enabled. A number of government websites – including that of the ICO – were temporarily taken down.

“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year, and our data security action plan was actioned straight away,” said Martin McKay, Texthelp CTO.

“Texthelp has in place continuous automated security tests for BrowseAloud and these detected the modified file and as a result the product was taken offline.”

The National Cyber Security Centre (NCSC) has confirmed that the problem is under investigation.

“NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency,” the NCSC said in a statement. “The affected service has been taken offline, largely mitigating the issue.  Government websites continue to operate securely.”

“At this stage there is nothing to suggest that members of the public are at risk.”

Users can take measures to protect themselves from cryptomining scripts using standard antivirus software, as well as adblocking and no-Javascript add-ons for their web browsers.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles