Hackers Used Ontario Government and CAMH Websites to Mine Cryptocurrency
Hackers hijacked a popular plugin.
Image: Flickr/CAMH Foundation
Visitors to thousands of websites—including UK and US government sites—were forced to unknowingly mine cryptocurrency over the weekend after hackers compromised a popular browser plugin called Browsealoud, and rejigged it to hijack site visitors’ computer power.
Among the affected sites, which included the UK’s information commissioner and uscourts.gov, were some prominent Canadian URLs. According to a list of sites running the Browsealoud plugin, which offers accessibility and translation services, the websites for the Information and Privacy Commissioner of Ontario, the Ontario Trillium Foundation, and the Centre for Addiction and Mental Health (CAMH) were compromised.
According to a blog post by Texthelp, the company behind Browsealoud, the exploit was live for four hours on Sunday before the service was taken offline completely to stop the attack, and will remain offline until Tuesday. Crucially, the company noted that no customer data was lost—and even though the hackers could have done anything they wanted with site visitors’ computers, they chose to mine cryptocurrency.
"We can confirm that we were notified by Texthelp that the plugin Browsealoud used on the IPC website for accessibility purposes was compromised by the use of malicious code, in an attempt to illegally generate cryptocurrency," a spokesperson for the Office of the Information and Privacy Commissioner of Ontario wrote Motherboard in an email. "We know that no IPC data was accessed or lost, and the script has been disabled. Cyberattacks have become an increasingly common threat to information security, and the IPC regularly reviews its security systems to ensure that our network remains uncompromised."
Technical experts from CAMH, Canada’s largest mental health and addictions hospital located in downtown Toronto, were unavailable to comment. However, a spokesperson noted that investigators have found no evidence of data being lost or compromised.
“We can’t comment on this because it’s a third party plugin we used on our website, but we’ve been in touch with our contact at Texthelp,” said Cynthia McQueen, a spokesperson for Ontario Trillium Foundation, a government funding agency, over the phone. “We know for sure that no customer data was accessed or lost, and that [the script] is currently not on our website.”
This attack, which secretly embeds a legitimate cryptocurrency mining script in websites, is the largest yet in a growing trend as criminals cash in on the rising values of digital currencies. On Sunday, the UK’s National Cyber Security Centre announced that it is investigating the hack and that there is likely no further risk to the public.
In an interview with Motherboard reporter Joseph Cox, Coinhive spokespeople said that the hackers made a grand total of $24 USD worth of Monero.
Surreptitious cryptocurrency mining is a rising global trend in cybercrime. Mining scripts like the one used in Sunday’s hack can be used legitimately but also provide an easy way for hackers to deliver mining code. Cryptocurrency mining demands a lot from computers and can slow down visitors’ machines. Last year, hackers delivered mining code to Starbucks customers via an Argentine internet service provider. The mining script used in Sunday's hack came from a service called Coinhive, which can be used legitimately but has recently become a favourite among criminals.
For Canadians, a dubious trend has finally hit home.
With additional reporting by Joseph Cox.
Get six of our favorite Motherboard stories every day by signing up for our newsletter .
UPDATE: This article has been updated to include comment from the Office of the Information and Privacy Commissioner of Ontario.
UPDATE: The original version of this article stated that the cryptocurrency mining script came from Coinhive, but Coinhive spokespeople stated that the script was merely "copied" from their code, and the hackers used their own servers to communicate with the Monero network. Later, Coinhive confirmed that their service was in fact used in the hack.