Council websites hijacked by cryptocurrency miners

A NUMBER of official government websites, including some operated by councils, were used to covertly mine a cryptocurrency earlier this month.

A vulnerability in a third-party browser plug-in called Browsealoud (which converts text to audio for visually impaired web users) enabled hackers to install malware allowing them to hijack the user’s computer and use its processing power to mine the cryptocurrency Monero.

The City Councils of Casey (in Victoria), Bayswater (WA), and Unley (SA) were among those authorities whose websites were highjacked.

Web security consultant and researcher Scott Helme, who discovered the malware, said the government website operators should have been more vigilant.

“When you load software like this from a third party, that third party can change it and make it do whatever they want,” he said. “There are easy ways to make sure they don’t do that.

“We don’t know how Texthelp [the makers of the Browsealoud plug-in] were compromised yet, so it is hard to say whether they were really unlucky or there was some kind of inherent problem with what they were doing.

“But there were ways the government sites could have protected themselves from this. It may have been difficult for a small website, but I would have thought on a government website that we should have expected these defence mechanisms to be in place.”