Skip to content

How Hacked Widgets Help Criminals Mine Monero

Get trading recommendations and read the analysis on for only $ 39 a month.

The secret exploitation of cryptocurrency is becoming the new pillar of cybercrime. Scammers hijack servers, personal computers and mobile devices and take advantage of the CPU or GPU of infected hosts to generate virtual coins without victims being aware of them. Even botnets made up of many zombie machines are now being used to perpetrate illegal large-scale mining activities rather than spreading spam or hitting online services with DDoS attacks.

This malicious money vector has benefited from the emergence of data mining scripts in the browser, such as Coinhive. The following incidents that occurred recently illustrate how serious this problem is becoming and how web site widgets are playing in the hands of threat actors.

The hacking of the BrowseAloud widget affects thousands of sites

A massive wave of cryptojacking took root on February 11, 2018, exploiting a popular widget called BrowseAloud. The criminals have been able to inject a surreptitious Monero minor into more than 4,200 Internet resources, including prominent sites such as the UK, US and Australian government websites. As a result of this compromise, the malicious script exploited the machine processing power of visitors to extract cryptocurrency behind the scenes.

For the record, BrowseAloud is a tool of Texthelp Ltd. designed to improve the accessibility of the website for a wider audience through pronunciation, reading and translation features. By adding this widget to sites, webmasters ensure that people with dyslexia, visual disturbances and poor English skills can participate and use their services to the fullest. In addition, the software helps site owners to comply with various legal obligations, so it is no wonder that it is widely used around the world and that it has become the target of pirates.

According to security analysts' findings, the crooks managed to compromise the JavaScript component of the BrowseAloud utility and thus incorporate a hidden mining code from Coinhive into many websites using this widget. Some of the notable victims include,,,, and The total number of sites hosting the wrong script was 4,275.

See also  The Central Bank of Russia will host a pilot project of the ICO on its regulatory platform

By the way, the Texthelp seller's official website also had the minor on the site. When the compromise was unveiled, the company temporarily disconnected the widget to prevent further damage to customers. By February 15, the offense would have been processed and the service was operational as usual.

The cryptojacking script has been configured to consume the CPU of visiting computers at 40%, probably so as not to trigger many red flags. The coinhive wallet address of the attackers is known, but unlike Bitcoin, the service does not allow to see how much Monero holds his portfolios. As a result, the amount of cryptocurrency exploited by the group behind the BrowseAloud hack remains a mystery.

LiveHelpNow widget operated for exploration in the browser

Another cryptojacking campaign involving a site widget started on Thanksgiving last year. In search of easy payoff, threat actors have injected Coinhive's miner into one of the JavaScript modules of LiveHelpNow, a popular online chat widget. This widget is widely used by various e-commerce resources, including retail stores like Everlast and Crucial.

The stars are aligned for authors especially because of the upcoming Black Friday and Cyber ​​Monday, when many users go to online stores looking for the best buys and other offers. In addition, it is unlikely that administrators will closely monitor their sites for malicious activity of this kind during the holiday season.

The Coinhive script hidden in a Trojan horse copy of the LiveHelpNow widget will cause a spike in CPU usage by visiting computers and will remain at 100% during the Internet session. Interestingly, the miner was set to run randomly, meaning that all users who visited the compromised sites did not immediately join the secret mining rush. In some cases, a page refresh was required to launch the unauthorized script. The reason for this selective approach is, without doubt, not to draw too much attention to the ongoing cryptojacking wave.

See also  Chargebee raises $ 18 million to help businesses manage subscriptions

According to the PublicWWW source code search engine, the toxic script "lhnhelpouttab-current.min.js & # 39; operated on over 1,400 websites when this campaign took hold. There is little information available on the source of the violation. This void of evidence has spawned speculation that hacking is an internal job done by one of LiveHelpNow's employees. In one way or another, it was a well orchestrated compromise that had to bring to the scammers a good dose of Monero.

How to stay on the right side

This is a non trivial issue. Cryptojacking is surreptitious by nature, so the only way for end users to spot this type of attack is to monitor their CPU usage – if it is constantly skyrocketing, it's a red flag. With regard to defenses, here are some tips that work proactively:

  • Install a browser extension that automatically blocks all known JavaScript minors. Some popular additions worth their salt include MinerBlock and No Coin.
  • Most adblockers can stop minors in the browser. But hackers use every possible means to get around adblockers.
  • Use a reliable Internet security suite with an on-board anti-cryptojacking feature.
  • It is recommended to use a reliable VPN service when connecting to unknown networks as scammers often go hand in hand with keyloggers and other malware.
  • Keep your operating system up-to-date to ensure that known vulnerabilities are fixed and that cybercriminals can not exploit them to inject a minor insensitively.

Webmasters should consider adopting the following combination of techniques to ensure that their sites do not serve cryptojacking scripts beyond their consciousness:

  • SRI (Subresource Integrity) is a security mechanism that verifies that the content loaded on the sites has not been modified by a third party. Here is how it works. A website owner specifies a hash for a particular script. If this hash and the one provided by the corresponding content delivery network do not match, the SRI feature automatically rejects the unauthorized script.
  • CSP (Content Security Policy) is a security standard that requires all Web site scripts to be assigned an SRI hash. The merger of SRI and CSP prevents compromised widgets from running on a website and thus stops unauthorized crypto-extraction in its tracks.
See also  Kazakhstan could ban cryptocurrence involving money-laundering problems


There is nothing illegal in crypto-mining as such. It becomes a crime, however, when someone uses the computers of others to extract digital parts without their knowledge and without their consent. Browsing in the browser is a good way for website owners to monetize their traffic, but it is also an attraction for criminals. As shown by the BrowseAloud and LiveHelpNow incidents, site widgets are easy-to-exploit fruits that can be exploited for large-scale encryption purposes.

The author, David Balaban, is a researcher in computer security with more than 15 years of experience in the analysis of malicious software and l 39; evaluation of antivirus software.

Follow us on Telegram.