Bad actors secretly infected more than 4,000 websites with the script for a crypto-miner after hacking a single technology provider.

The trouble started on 11 February when Ian Thornton-Trump encountered something concerning while visiting the website for the UK Information Commissioner’s Office (ICO).

The LinkedIn-shortened URL leads to a post containing a screenshot of the researcher’s visit to the ICO website. Clearly visible at the top right-hand corner of the page is a security warning indicating the presence of a crypto-miner:

Source: Ian Thornton-Trump

Thornton-Trump didn’t believe what he was seeing at first. As he told The State of Security in a DM:

You need to know when you’re out of your depth. I knew a highly trusted page should not be throwing AV errors, so at first I thought it was me. I’ve seen Scott Helme present at numerous conferences, so I reached out to him. He confirmed I was seeing a malicious JavaScript that was attempting to load a cryptominer on the ICO’s website.

Helme, an information security consultant, got to work exploring what had caused ICO’s website to load up a crypto-miner. He quickly discovered that the offending script for CoinHive, a popular crypto-miner which Check Point named the “most wanted” malware in December 2017, was not hosted by the ICO. Instead (Read more...)