How the Cryptojacking Hack Could Have Been Minimized
Last week, thousands of computers, including both in the UK and US governments, were compromised by hackers by exploiting a popular third-party site plugin (BrowseAloud).
However, the widespread adoption of these technologies gives third-parties access to the visitor data on any site where they’ve been enabled, making them an attractive target for exploitation.
In the case of the recent BrowseAloud incident, this exploit took advantage of significant visitor numbers received by BrowseAloud to harness computing power to mine cryptocurrency - an act that inevitably led to performance degradation on the sites affected, compromising the user experience and having an adverse effect on revenue and engagement.
“More than 5,000 websites have been flooded by the malware. Software known as Coinhive, which quietly uses the processing power of a user’s device to mine open source cryptocurrency Monero, appears to have been injected into the compromised BrowseAloud plugin.” Writes Patrick Greenfield for the Guardian.
How did this happen?
How could this have been prevented?
If the website owners had holistic visibility into the third-party technologies across their site, it’s possible this could have been avoided. But they’re not alone – the majority of organizations have limited insight into their own data collection, and even less so when it comes to the third-party services that they’ve given access to their audience.
To illustrate how complex the digital ecosystem is and why so many companies aren’t aware of their vulnerabilities, I ran a Trackermap of one page on the popular website, TechCrunch.com.
For those unaware, Trackermap crawls a page or website to provide a visual representation of all of the third-party calls found across a website. This includes items such as legacy implementations (e.g. an analytics vendor you thought you removed months ago) as well as redirects (calls made to other third-party services, often without your knowledge, but with direct access to your customer data).
In the case of TechCrunch, while they probably have full visibility into, and control over the technologies that they directly implemented (those nodes coming from the purple “techcrunch.com” node), like Tinypass and Parsely, and their initial redirects (e.g. Advertising.com, AOL), TechCrunch might be unfamiliar with the vast number of other technologies that were brought onto their pages indirectly.
In this real-time scan of just one page of their site (imagine what you’d find sitewide), you can see that TechCrunch’s third-party partners bring an additional 40+ parties to the site, as well as an additional 40+ exposure risks.
Last week’s BrowseAloud hack should remind us all of the need for (1) ongoing monitoring of third-parties, (2) the importance of visibility into all third-party site implementations and (3) a greater means of control. It’s vital that organizations take steps to monitor and control the exposure of their site visitors to unnecessary or unauthorized services.
To see what third-parties you may be unaware of that are lurking on a page of your website, test drive Trackermap for free by entering the URL of your choice.