How the Cryptojacking Hack Could Have Been Minimized
Last week, thousands of computers, including both in the UK and US governments, were compromised by hackers by exploiting a popular third-party site plugin (BrowseAloud).
The use of third-party, client-side (JavaScript) services is well established in the world of digital marketing and personalization. These services provide immense value to marketers, and it’s common to see a significant number of these services deployed across sites and applications.
However, the widespread adoption of these technologies gives third-parties access to the visitor data on any site where they’ve been enabled, making them an attractive target for exploitation.
In the case of the recent BrowseAloud incident, this exploit took advantage of significant visitor numbers received by BrowseAloud to harness computing power to mine cryptocurrency - an act that inevitably led to performance degradation on the sites affected, compromising the user experience and having an adverse effect on revenue and engagement.
“More than 5,000 websites have been flooded by the malware. Software known as Coinhive, which quietly uses the processing power of a user’s device to mine open source cryptocurrency Monero, appears to have been injected into the compromised BrowseAloud plugin.” Writes Patrick Greenfield for the Guardian.
How did this happen?
BrowseAloud, used for facilitating website accessibility for people with dyslexia, low literacy, and mild visual impairments, is leveraged via JavaScript implemented by the website owner. What happened in this case is, the JavaScript file was compromised and a “cryptojacking” script was embedded within it. So any website that added the JavaScript became susceptible to becoming infected.
As a result, visitors who accessed a compromised site with the JavaScript were forced (unknowingly) to mine cryptocurrency. Not only was the visitor’s computer exploited in a criminal fashion, but the user also experienced the symptoms often associated with this kind of exploit - very slow performance.
How could this have been prevented?
If the website owners had holistic visibility into the third-party technologies across their site, it’s possible this could have been avoided. But they’re not alone – the majority of organizations have limited insight into their own data collection, and even less so when it comes to the third-party services that they’ve given access to their audience.
To illustrate how complex the digital ecosystem is and why so many companies aren’t aware of their vulnerabilities, I ran a Trackermap of one page on the popular website, TechCrunch.com.
For those unaware, Trackermap crawls a page or website to provide a visual representation of all of the third-party calls found across a website. This includes items such as legacy implementations (e.g. an analytics vendor you thought you removed months ago) as well as redirects (calls made to other third-party services, often without your knowledge, but with direct access to your customer data).
In the case of TechCrunch, while they probably have full visibility into, and control over the technologies that they directly implemented (those nodes coming from the purple “techcrunch.com” node), like Tinypass and Parsely, and their initial redirects (e.g. Advertising.com, AOL), TechCrunch might be unfamiliar with the vast number of other technologies that were brought onto their pages indirectly.
In this real-time scan of just one page of their site (imagine what you’d find sitewide), you can see that TechCrunch’s third-party partners bring an additional 40+ parties to the site, as well as an additional 40+ exposure risks.
Last week’s BrowseAloud hack should remind us all of the need for (1) ongoing monitoring of third-parties, (2) the importance of visibility into all third-party site implementations and (3) a greater means of control. It’s vital that organizations take steps to monitor and control the exposure of their site visitors to unnecessary or unauthorized services.
To see what third-parties you may be unaware of that are lurking on a page of your website, test drive Trackermap for free by entering the URL of your choice.