recentpopularlog in


Protect your site from cryptojacking – with csp sri • Scott Helme
Helme noticed that thousands of sites, including government sites, were running a cryptominer via a hacked Javascript file. As he points out, to hack 2,000 sites you don’t hack 2,000, you hack one:
This is not a particularly new attack and we've known for a long time that CDNs [content delivery networks] or other hosted assets are a prime target to compromise a single target and then infect potentially many thousands of websites. The thing is though, there's a pretty easy way to defend yourself against this attack. Let's take the ICO as an example, they load the affected file like this:

[script src="//" type="text/javascript"][/script]

That's a pretty standard way to load a JS file and the browser will go and fetch that file and include it in the page, along with the crypto miner... Want to know how you can easily stop this attack?

[script src="//" integrity="sha256-Abhisa/nS9WMne/YX dqiFINl JiE15MCWvASJvVtIk=" crossorigin="anonymous"][/script]

That's it. With that tiny change to how the script is loaded, this attack would have been completely neutralised. What I've done here is add the SRI Integrity Attribute and that allows the browser to determine if the file has been modified, which allows it to reject the file. You can easily generate the appropriate script tags using the SRI Hash Generator and rest assured the crypto miner could not have found its way into the page. To take this one step further and ensure absolute protection, you can use Content Security Policy and the require-sri-for directive to make sure that no script is allowed to load on the page without an SRI integrity attribute. In short, this could have been totally avoided by all of those involved even though the file was modified by hackers.</p>

Sure, he’s selling a service. But it’s a useful service.
Cryptominer  hacking 
february 2018 by charlesarthur
Thousands of UK and US government websites hijacked by hidden crypto-mining code after popular plugin hacked • The Register
Chris Williams:
<p>Thousands of websites around the world – from the UK's NHS and ICO to the US government's court system – were today secretly mining crypto-coins on netizens' web browsers for miscreants unknown.

The affected sites all use a fairly popular plugin called Browsealoud, made by Brit biz Texthelp, which reads out webpages for blind or partially sighted people.

This technology was compromised in some way – either by hackers or rogue insiders altering Browsealoud's source code – to silently inject Coinhive's Monero miner into every webpage offering Browsealoud.

For several hours today, anyone who visited a site that embedded Browsealoud inadvertently ran this hidden mining code on their computer, generating money for the miscreants behind the caper.

A list of 4,200-plus affected websites can be found <a href=““>here</a>: they include The City University of New York (, Uncle Sam's court information portal (, Lund University (, the UK's Student Loans Company (, privacy watchdog The Information Commissioner's Office ( and the Financial Ombudsman Service (, plus a shedload of other and sites, UK NHS services, and other organizations across the globe…

The Monero miner was added to Browsealoud's code some time between 0300 and 1145 UTC…Coinhive's code is mostly detected and stopped by antivirus packages and ad-blocking tools.</p>

Adblocking as the easy way to avoid malware, pt 943.
Cryptominer  malware  malvertising 
february 2018 by charlesarthur
keraf/NoCoin: No coin is a tiny browser extension aiming to block coin miners such as Coinhive.
Anti-miner browser addon to block cryptocurrency miners from operating in a browser tab. Sadly necessary these days...
chrome  browser  addon  plugin  extension  antiminer  security  cryptocurrency  javascript  tab  miner  cryptominer  bitcoin  monero  coinhive 
september 2017 by asteroza

Copy this bookmark:

to read