Popular Websites Being Hijacked for Cryptomining

Popular Websites Being Hijacked for Cryptomining

The recent case of two Nepali online news portal being embedded with web based cryptocurrency miners have brought the issue of security of Nepali websites to public discussion. The first case of a news site with a browser based miner embedded into it was discovered on OnlineKhabar, the 5th most popular website of Nepal, on the 28th of November. While OnlineKhabar initially denied the existence of any mining script, OnlineKhabar issued a press release the next day attributing the mining activity to a security breach which it said was being investigated. The second case was discovered on BaahraKhari on 1st December. In these cases, users’ trust was being exploited to conduct illegal act of mining cryptocurrencies using computing power of the users’ devices without the users’ consent.

While OnlineKhabar claimed that the mining was a consequence of their website being breached, there is no update currently on the issue of BaahraKhari. But more likely than not BaahraKhari too was a victim of a security breach. In these cases, some security vulnerability is exploited to get privileged access to the website that should only be available to a legitimate administrator. After gaining the privileged access, code of the website is then edited to include a couple of lines to embed the miner application into the website. These applications are hosted in other mining service providing websites like coinhive. We saw codes embedding coinhive mining service in both OnlineKhabar and BaahraKhari.

The issue of these cryptocurrency miners embedded into popular Nepali sites is not much of a surprise to anybody who has experienced the gross negligence of these website in terms of maintaining proper security. While these websites spend a lot of time designing an aesthetically pleasing website, they barely pay any heed to issues concerning security. Most web developers have superficial knowledge about security issues and don’t know much about web vulnerabilities that can plague a web application. As such it is no wonder these websites have huge security loopholes and easily exploitable vulnerability in huge troves that any malicious actors can take advantage. Considering all of this, embedding these miners into popular Nepali websites is no complex task because there are a lot of such websites with huge number of visitors that have no concept of security and have gaping weaknesses ripe for exploitation.

These issues could’ve been easily avoided with timely consideration of web security. Had the news portals taken steps to resolve the vulnerabilities present in their website, they would not have lost the trust of their readers and wouldn’t have had to go through all the trouble that they are having to go through right now. It’s still not definite that they have now taken steps to making their websites more secure. It may be that they have just removed the code embedding the miner but have not addressed the root cause that allowed someone to put the code there. If these websites have not taken any steps for properly addressing security issues by consulting professional cyber security practitioners, then a similar incident will surely reoccur. To prevent such incident from taking place ever again in the future, they have to perform vulnerability analysis which assesses the weaknesses present in the website and also perform penetration tests in which real attacks are simulated by professional testers so that any avenue of attack and their weaknesses can be verified and patched to prevent exploitation by hackers.

While websites themselves must be incharge of protecting the user from being exploited using their platform, the users must also take steps to protect themselves against any malicious content. As it’s the users’ devices that are being exploited for gain by a third party, users must also be vigilant. Malicious ads and unwanted popups have been common in the web for a long time, these web based miners are just a newer issue that can be defeated using most of the similar prevention methods. Using a good antivirus that provides web browsing protection is the most effective solution. Also, not visiting any sketchy website is best to stay out of harm’s way. While the time trusted addon adblock plus also provides protection against the browser based miners, there are other addons like nocoin and minerBlock specifically to protect against web based miners.

As an immediate short-term response for incidents regarding embedded miners and malicious scripts, ThreatNix is offering free tests for any organization accountable to general public where we will test their website for presence of any malicious script along with consultations on basic website security.