Crypto mining attack raises issue of trust in third-party content

With the news that thousands of websites were hijacked by code that turned computers and smartphones into cryptocurrency miners, XQ Cyber believes that a bigger issue has arisen, and that is one of trust.

On Sunday, the UK government’s Information Commissioner’s Office (ICO) website and thousands of other sites from around the world were affected by a malicious code called Coinhive being injected into a website plugin called Browsealoud. The plugin is used to help visually impaired people use websites.  

According to TextHelp, the company behind the plugin, the code was injected without their knowledge to use the processing power of any device that visited websites running Browsealoud. Anyone who visited the affected websites would have run a hidden crypto mining code, forcing their device to solve complex coding problems and generate the cryptocurrency Monero.

This is far from the first time such techniques have been used to mine cryptocurrencies. In January it was revealed that hackers had hijacked adverts on Youtube for the same purpose. In many cases, the ads employed a Javascript code provided by Coinhive.

A list of the 4,200-plus affected websites can be found here

What is Crypto Mining?

With the rise in the popularity of cryptocurrencies such as Bitcoin, mining has become more common both legitimately and with cybercriminals.

Mining is a process where new digital coins are created via the solving of complex mathematical problems. It uses large amounts of computer processing power which has led to hackers inserting software into websites that effectively puts a visitor’s device to work mining. The process does not damage the device or result in data loss but can slow down the performance of a device.

The Chain of Trust

The bigger issue to emerge from this story is one of trust in third parties.

Software development relies heavily on trust, especially when it comes to open source components. Many websites take scripts from third-party libraries that are often hosted on Content Delivery Networks (CDNs). If these third-party scripts are compromised via code injection techniques such as those used on apps such as Browsealoud and then implemented on an organisations website, the malicious code will affect any visitors to their website.

To protect a website from any untoward third-party scripts you need to identify and verify it is genuine and has not been modified. If you can’t then how can you trust it?

You can verify if there is anything untoward by using SubResource Integrity (SRI). This works by allowing the performing of an integrity check on assets being loaded from a third party.  However, this will only work for the most up to date browsers. Older browsers remain vulnerable, and this highlights the necessity of patching and updating software as one of the measures you can take in securing your systems.

With software developers and website builders relying on open source third-party content both externally hosted and imported as libraries into their own software development processes to assist with rapid development and cost reduction, the reliance on them is unlikely to change anytime soon.

Whilst most third-party CDNs should be trustworthy the most effective solution is to try to host as much as possible yourself. This allows you to be able to verify it and grants you full control.

What can you do to counter the threat?

  • Once the tab or browser is shut, the injected code stops working which means that it doesn’t infect a user’s systems beyond the time spent on the affected website.
  • Ad-blocker and Anti-virus software detects and stops Coinhive. However, other variants of crypto mining code are unlikely to be detected.
  • Website owners should identify what third party plugins they are using and check what  these plugins are loading or communicating with over the network and internet.

Want to learn more about how XQ CyberScore can help secure your business? Visit our website at www.xqcyber.com/cyberscore and if you want to give yourself the very best protection against cyber security threats try our Cyber Score software for free now.

Follow us on FacebookTwitter and LinkedIn or sign up to our mailing list at https://www.xqcyber.com/signup