More than 4,000 websites may have fallen victim to crypto-jacking — when computers are secretly made to mine cryptocurrency.
UK security researcher Scott Helme discovered the malicious software on Sunday, which he said was “definitely mining”.
The compromised website plug-in responsible has now been taken offline.
Locally, websites that appear to have been affected include the Queensland Government’s legislation website, the Queensland Civil and Administrative Tribunal and the Victorian Parliament.
In the UK, websites run by the National Health System, the UK’s Student Loans Company and the Northern Powergrid were also impacted (you can see which other websites were affected here).
He found the malicious script and traced it back to its source: a website plug-in called Browsealoud, which helps people with low vision, dyslexia and low literacy access the internet.
The hack added a Coinhive program to the affected websites, which uses computer power to mine the Monero cryptocurrency when the browser window is loaded.
Mr Helme’s analysis suggests the software was online for about four hours before the company that owns the plug-in, Texthelp, acted.
In a statement, Martin McKay, Texthelp’s chief technology officer, said the compromise was a criminal act and was being investigated.
The situation could have been much worse
Mr Helme said using the same technique, malicious actors could have injected a range of malware into the websites.
For example, they could have installed a keylogger that tracks people entering usernames and passwords, a malicious software update or a virus.
“At this point, the attacker is limited by their imagination,” he said.
Australian cybersecurity researcher Troy Hunt (who runs online security workshops with Mr Helme) suggested Australia may have “gotten off lightly” thanks to the country’s time zone. Most Australians would have been asleep while the compromised plug-in was operational.
“There was an awful lot more [the hacker] could have done,” Mr Hunt said.
For the moment, it is not clear how the perpetrators altered the plug-in.
Texthelp are yet to disclose whether an employee’s credentials were stolen, whether the company’s webhost was compromised or some other means.
Although responsibility ultimately lies with Texthelp, Mr Helme suggested government websites should be held to a higher security standard if they use third-party services, such as Browsealoud.
Many websites use outside providers for everything from fonts to accessibility tools, which provide an additional gateway for bad actors.
Mr Hunt agreed the incident was a wakeup call.
There are ways of mitigating the risk. For example, he suggested, ensuring that scripts are only run if they look a certain way or only loading scripts from certain locations.
“In fairness, [the affected websites] are not out of step with the industry,” Mr Hunt said. “Websites in general have to get more serious about what they will trust to run.”
The UK National Cyber Security Centre said it was investigating the incident:
The Queensland Civil and Administrative Tribunal said it has disabled the Browsealoud plug-in on their website.
The Queensland Government, the Victorian Parliament and the Australian Cyber Security Centre have been contacted for comment.