Text-to-speech service spreads cryptomining code far and wide

February 12, 2018 // 10:47 a.m.

Tags: #attack #breach #browse-aloud #coinhive #cryptocurrency #insecurity #javascript #mining #paul-ducklin #security #texthelp #vulnerability

An accessibility service provided by Texthelp Limited has been breached by attackers unknown in a move which has seen cryptocurrency mining scripts planted on websites across the world - including, embarrassingly, the Information Commissioner's Office (ICO).

First publicised by security researcher Scott Helme via Twitter, the attack spread itself to government and other high-profile sites globally over the weekend through a single point of failure: a text-to-speech service dubbed Browsealoud from Texthelp Limited. Rather than attacking each individual site in turn, the persons responsible for the breach attacked Texthelp's service and implanted malicious JavaScript designed to siphon off a percentage of visitors' CPU power for the purposes of solving the cryptographic challenges required to 'mine' cryptocurrencies, minting the attacker valuable though virtual stores of value which can be traded for real-world cash.

An analysis of the attack from security firm Sophos' Paul Ducklin suggests that this was the full extent of the attack's impact with no other code that could have compromised visitors' systems, installed malicious software, or stolen personal information having been discovered. Texthelp responded by taking down the Browsealoud server - and thus immediately removing the JavaScript mining code from the affected sites, though also disabling the text-to-speech functionality - and has issued a statement confirming the attack.

'Texthelp can report that no customer data has been accessed or lost. The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers CPUs to attempt to generate cryptocurrency. The exploit was active for a period of four hours on Sunday,' the company explains. 'The Browsealoud service has been temporarily taken offline and the security breach has already been addressed, however Browsealoud will remain offline until Tuesday 12:00 GMT. This is to allow time for Texthelp customers to learn about the issue and the company’s response plan.'

'So far as we can see, simply shutting down your browser is enough to kill off any cryptomining scripts that may have been left behind by this attack,' explains Ducklin of the method by which users can ensure their systems are no longer chewing through electricity to line some ne'er-do-well's pocket. 'If you run a website that uses the services of browsealoud DOT com we recommend that you stop your own pages from even trying to load content from that site (no matter that it is offline) until you receive a credible explanation and an all-clear from Texthelp.'


Discuss this in the forums

QUICK COMMENT

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU