The value of bitcoin (along with some lesser-known cryptocurrencies, such as Ethereum and Ripple) recently slumped, leading to some predictions that the “bubble” of its inflated value is beginning to pop, that cryptocurrency, in general, is on its way out.
Hackers, however, do not believe it, they’re all in on crypto. They’are in so deep, in fact, that they are hijacking thousands of websites, including those that belong to reputable entities like the United Kingdoms’ National Health Service and the United States court system, to mine the stuff, according to The Register.
What do these sites have in common that enables ease of penetration by this hackers? They all use a plug-in called Browsealoud, which allows blind or partially-sighted people to listen to the text that appears on the screen. That’s what the hackers used to hijack the websites.
In the early hours of February 11, 2018, malware intended to mine lesser-known cryptocurrency monero was added to Browsealoud’s code. It ran on some 4,200 affected websites for several hours. So whenever an unsuspecting visitor accessed those sites, the mining script would run in their web browser, without the users’ consent, generating cryptocurrency for the hackers. By the afternoon, Browsealoud’s team had realised the issue and shut down its service while it repaired its code.
Authorities aren’t yet sure who the hackers are. But the company at least has been clear: the hackers’ actions were illegal.
The breach is bad news for more than just Browsealoud, and for the sites that use it. It reveals a weakness of the modern internet as a whole. Most websites rely on just a few providers of various services — almost half of the websites that track user activity via cookies, for example, use the same software. That means that if hackers can crack that one common software, they can take advantage of thousands, or even millions, of sites that rely upon it.
The websites themselves have little control over it. And even though Browsealoud had been preparing for such a breach over the past year, according to a company statement, there wasn’t much their clients could do after the attack.
Yes, breaches are bad, but ultimately, consumers didn’t suffer too much from this one. The hackers didn’t steal any user information (that could be particularly bad for users typing in their most personal identifying information to government websites), they didn’t infect computers with buggy software. They just mined some cryptocurrency and probably made the environment just a bit worse off for it.