Thousands of Sites Hit By 'Cryptojacking' Scam

John Lister's picture

Visitors to more than 5,000 websites had their computers hijacked to earn money for scammers. But the attack would have earned them less than $25 - and they aren't getting paid anyway.

The attack involved compromising screen reader software called BrowseAloud. Websites can add the software to their site to make it easier for visitors with vision problems to browse the pages.

Because the software is so widely used, compromising it was an effective way to reach a large number of computers - regardless of whether the owners needed to use a screen reader. The software is particularly popular among government department and agency websites that may be under a legal obligation to make their site accessible.

Hijacked Computers Used In Race For Cash

The scammers were attempting a tactic known as cryptojacking, which derives from cryptocurrencies, a form of virtual currency where transactions don't require a financial intermediary such as a bank. All transactions are listed on a public ledger in a way that means the records can't be tampered with.

The process of adding a record to the ledger (known as a blockchain) involves computers carrying out some particularly complicated calculations. To incentivise people to make their computers available to do this, most cryptocurrencies work like a "competition" - with computers racing to be the one to add a transaction to the ledger.

The winner is then rewarded with a newly created unit of the currency, a bit like a central bank issuing a new coin or note. This can then be sold for "real world" currencies or held as a form of investment, in hopes that the currency exchange rate increases.

News Site Sees Opportunity To Earn

Many people deliberately build powerful computers specifically for this process, known as "mining." That's perfectly legal. Another approach is to put software on a website and use spare resources on a visitor's computer to contribute to the mining.

In some cases this can be above board: the news site "Salon" now lets visitors hide ads in return for letting their computer contribute through software called Coinhive. With the scam however, Coinhive was being run without the knowledge of the users, or indeed the websites themselves. That meant user's batteries were drained on their mobile devices, or their electricity bills increased without permission. (Source: washingtonpost.com)

While the attack was widespread, it doesn't appear to have been a worthwhile exercise. Coinhive says the scammers only earned the equivalent of $24.50. They won't even get that, as the reward has been cancelled because they broke the terms and conditions of the software. (Source: theguardian.com)

What's Your Opinion?

Would you be prepared to let your computer's resources be used in return for seeing websites with ads? (Don't worry - this is not part of Infopackets plans!) Should legitimate websites be offering such an option? Does it make a difference that the resources are only used for calculations rather than accessing any user data?

Rate this article: 
Average: 5 (9 votes)

Comments

Dennis Faas's picture

I wrote an article about a year ago of a similar attack on an old Windows Sever 2003. Because the machine was no longer receiving security updates (just like Windows XP and Windows Vista) - the Windows Server 2003 became infected with malware repeatedly. No antivirus or antimalware could block the infections because the operating system had huge gaping holes in it, allowing malware to pass right through. Each time it got infected, it was a bitcoin mining virus. This in turn made the server CPU run 100% of the time, slowing it down so much that it couldn't be used. This story is proof that these types of attacks are not going to go away any time soon. When malware like this can be distributed by merely visiting a site - that is very scary news, indeed!