Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Hijack Government Websites To Mine Crypto-Cash (bbc.com)

Posted by msmash on from the worse-than-imagined dept.

BBC reports: The Information Commissioner's Office (ICO) took down its website after a warning that hackers were taking control of visitors' computers to mine cryptocurrency. Security researcher Scott Helme said more than 4,000 websites, including many government ones, were affected. He said the affected code had now been disabled and visitors were no longer at risk. The ICO said: "We are aware of the issue and are working to resolve it." Mr Helme said he was alerted by a friend who had received a malware warning when he visited the ICO website. He traced the problem to a website plug-in called Browsealoud, used to help blind and partially sighted people access the web. The cryptocurrency involved was Monero -- a rival to Bitcoin that is designed to make transactions in it "untraceable" back to the senders and recipients involved. The plug-in had been tampered with to add a program, Coinhive, which "mines" for Monero by running processor-intensive calculations on visitors' computers. The Register: A list of 4,200-plus affected websites can be found here: they include The City University of New York (cuny.edu), Uncle Sam's court information portal (uscourts.gov), Lund University (lu.se), the UK's Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner's Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), plus a shedload of other .gov.uk and .gov.au sites, UK NHS services, and other organizations across the globe.

2 of 48 comments (clear)

  1. JavaScript considered harmful by Anonymous Coward · · Score: 5, Insightful

    It's ironic that the attack vector here was a blob of JavaScript designed to make the web more accessible, when JavaScript itself has done more to destroy accessibility than any technology in the history of the web (with the possible exception of Flash).

    Unless your site is itself an application (leaving aside whether the web is a good app platform), you don't need JS at all. HTML+CSS is enough. Your site will automatically be more accessible, more compatible, use less battery and CPU, and will be more secure. It will also load much faster and be friendlier to people on crappy net connections.

  2. Has anyone done this openly? by joe_frisch · · Score: 2

    A site that allowed you to view their content with the agreement that you let them mine on your computer while you are doing so might not be a terrible way to go.