Text-to-speech service spreads cryptomining code far and wide

42

An accessibility service provided by Texthelp Limited has been breached by attackers unknown in a move which has seen cryptocurrency mining scripts planted on websites across the world – including, embarrassingly, the Information Commissioner’s Office (ICO).

First publicised by security researcher Scott Helme via Twitter, the attack spread itself to government and other high-profile sites globally over the weekend through a single point of failure: A text-to-speech service dubbed Browse Aloud from Texthelp Limited. Rather than attacking each individual site in turn, the persons responsible for the breach attacked Texthelp’s service and implanted malicious JavaScript designed to siphon off a percentage of visitor’s CPU power for the purposes of solving the cryptographic challenges required to ‘mine’ cryptocurrencies, minting the attacker valuable though virtual stores of value which can be traded for real-world cash.

An analysis of the attack from security firm Sophos’ Paul Ducklin suggests that this was the full extent of the attack’s impact with no other code that could have compromised visitors’ systems, installed malicious software, or stolen personal information having been discovered. Texthelp itself, though, has been silent on the attack, taking down the Browse Aloud server – and thus immediately removing the JavaScript mining code from the affected sites, though also disabling the text-to-speech functionality – but not yet issuing a statement on the matter.

So far as we can see, simply shutting down your browser is enough to kill off any cryptomining scripts that may have been left behind by this attack,‘ explains Ducklin of the method by which users can ensure their systems are no longer chewing through electricity to line some ne’er-do-well’s pocket. ‘If you run a website that uses the services of browsealoud DOT com we recommend that you stop your own pages from even trying to load content from that site (no matter that it is offline) until you receive a credible explanation and an all-clear from Texthelp.

Leave A Reply

Your email address will not be published.

%d bloggers like this: