The scourge of drive-by currency mining—in which websites and apps covertly run resource-draining code on other people’s devices—shows no sign of abating. Over the weekend, researchers added two more incidents: one involves more than 4,200 sites (some operated by government agencies), while the other targets millions of Android devices.
The first incident affected sites that offer a free text-to-speech translation service called Browsealoud. On Sunday, someone changed the JavaScript code hosted here to include currency-mining code from Coinhive, a controversial site that uses the devices of site visitors, usually without their permission, to generate digital coin known as Monero.
In the process, any site that included a link to the Browsealoud JavaScript suddenly saddled its visitors with code that used 60 percent of its CPU resources, with no attempt to warn end users or get their permission (by default, Coinhive code uses 100 percent). Search results show that the breach affected 4,275 sites, including those operated by the UK government’s Information Commissioner’s Office, US federal courts, and the state of Indiana. The CTO of Texthelp, the company that offers Browsealoud, issued a statement saying it suspended the service until Tuesday. The move put an end to the illicit mass mining, which lasted about four hours. At no time was customer data accessed or lost, the statement said.