Hackers have hijacked more than 4,000 websites, including government sites, in the US, UK and Australia and other nations over the weekend to exploit the processing power of visitors' computers and secretly mine cryptocurrency.
Security researcher Scott Helme first reported the incident after he was alerted by a friend who received a malware warning when visiting the website of the UK's data protection watchdog, the Information's Commissioner's Office (ICO). He traced the issue to Texthelp's BrowseAloud, a popular plugin that helps blind and partially-sighted people access the web.
Helme found that threat actors had modified the accessibility plugin by inserting obfuscated code to inject the infamous Coinhive miner into targeted websites. Running at 40% CPU utilisation, the cryptomining script would then covertly mine for Monero coins without the knowledge of the user visiting the website.
Helme managed to trace the compromised script to 4,275 websites across the globe including NHS websites, the UK's Student Loans Company, the United States Courts homepage, several state government websites in the US, the Queensland Government's legislation website and multiple English councils.
"This is not a particularly new attack and we've known for a long time that CDNs or other hosted assets are a prime target to compromise a single target and then infect potentially many thousands of websites," Helme wrote in a blog post.
TextHelp, the company behind the plugin, took down its website on Sunday and confirmed that that its product was affected by malicious code for four hours.
"TextHelp has in place continuous automated security tests for BrowseAloud , and these detected the modified file and as a result the product was taken offline," the company's chief technology officer Martin McKay said in a statement. "This removed BrowseAloud from all our customer sites immediately, addressing the security risk without our customers having to take any action."
No customer data was accessed or lost in the attack, the company said.
McKay said the firm is also commissioning a security review by an independent security consultancy and noted that no other TextHelp services other than BrowseAloud were affected in the attack.
IBTimes UK has reached out to TextHelp for further comment.
The UK's National Cyber Security Centre has launched an investigation into the incident as well.
"NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency," a spokesman said. "The affected services have been taken offline, largely mitigating the issue. Government websites will continue to operate securely. At this stage there is nothing to suggest that members of the public are at risk."
Although this attack isn't a new one, Helme warned that the impact could have been much more dire should the threat actors have decided to opt for other malicious software.
"This weekend's incident with a cryptominer being embedded in thousands of dependent sites (many of them government) has taught us some valuable lessons," security researcher Troy Hunt tweeted. "This is avoidable yet raises bigger questions about how we handle the supply chain of JS libraries."
The incident comes as cybercriminals increasingly look to tap into the growing digital currency market with cryptojacking attacks, malware and more. In November, hackers compromised the LiveHelpNow chat widget to spread Coinhive on more than 1,500 websites.
Other websites found running cryptocurrency miners include Showtime, Starbucks Argentina, Politifact, UFC's website and the Pirate Bay. YouTube ads and several popular Chrome extensions have also been found running cryptominers in recent months.