Hackers hijacked software intended to help people with disabilities to mine cryptocurrency, affecting more than 4,000 websites around the world.
If you know any bitcoin investors, you might notice that they seem a little bummed lately. After months of an upward trend, the value of bitcoin (along with some lesser-known cryptocurrencies, such as Ethereum and Ripple) recently slumped, leading to some predictions that that the “bubble” of its inflated value is beginning to pop, that cryptocurrency in general is on its way out.
But hackers don’t believe it — they’re all in on crypto. They’re in so deep, in fact, that they’re hijacking thousands of websites, including those that belong to reputable entities like the U.K.’s National Health Service and the U.S. court system, to mine the stuff, according to The Register.
You might ask: What do so many disparate sites have in common? They all use a plug-in called Browsealoud, which allows blind or partially-sighted people to listen to the text that appears on screen. That’s what the hackers used to hijack the websites.
That’s right. The culprits exploited accessibility software to mine cryptocurrency. Real classy.
In the early hours of February 11, 2018 malware intended to mine lesser-known cryptocurrency monero was added to Browsealoud’s code. It ran on some 4,200 affected websites for several hours. So whenever an unsuspecting visitor accessed those sites, the mining script would run in their web browser, without the users’ consent, generating cryptocurrency for the hackers. By the afternoon, Browsealoud’s team had realized the issue and shut down its service while it repaired its code.
Authorities aren’t yet sure who the hackers are. But the company at least has been clear: the hackers’ actions were illegal.
The breach is bad news for more than just Browsealoud, and for the sites that use it. It reveals a weakness of the modern internet as a whole. Most web sites rely on just a few providers of various services — almost half of the web sites that track user activity via cookies, for example, use the same software. That means that if hackers can crack that one common software, they can take advantage of thousands, or even millions, of sites that rely upon it.
The web sites themselves have little control over it. And even though Browsealoud had been preparing for such a breach over the past year, according to a company statement, there wasn’t much their clients could do after the attack.
Yes, breaches are bad, but ultimately, consumers didn’t suffer too much from this one. The hackers didn’t steal any user information (that could be particularly bad for users typing in their most personal identifying information to government web sites), they didn’t infect computers with buggy software. They just mined some cryptocurrency, and probably made the environment just a bit worse off for it.
And in that regard, they’re far from the only ones.
Disclosure: Several members of the Futurism team, including the editors of this piece, are personal investors in a number of cryptocurrency markets. Their personal investment perspectives have no impact on editorial content.