A slew of government websites, including the site run by the United States federal court system, were among the thousands pulled into a cryptomining scheme via a third-party browser plugin.
Scott Helme, a security researcher based in the United Kingdom, found malicious code planted on websites through Browsealoud, an accessibility plugin that reads websites for people with vision problems. Since the plugin is added to a site’s source code, any site running the plugin was co-opted into running Coinhive in order to mine Monero.
Coinhive is one of the most popular pieces of malware currently online.
Among those affected are health care sites in the U.K., university sites in Sweden and makeup retail sites based in Brazil. In the U.S., uscourts.gov, Indiana’s state website and wmata.com, the website for the Washington Metro Area Transit Authority, had the malicious code.
A spokesperson for the Administrative Office of U.S. Courts did not return a request of comment. A spokesperson for WMATA was unavailable.
After being alerted to the scheme, Browsealoud parent company TextHelp removed the plugin for further investigation.
“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline,” said Martin McKay, the company’s CTO and data security officer. “This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.”
The company says the code was only active for a period of four hours on Sunday.
Browsealoud will be kept offline until Tuesday in order to fully address the problem.
A partial list of websites can be found here.