March 25th, 2018, malicious hackers compromised AOL’s advertising platform and modified its script to mine Monero cryptocurrency. The information security training researchers at Trend Mirco also found MSN’s web portal’s Japanese domain was also infected by a similar script to mine Monero coins from the computing power of site’s visitors.
As per analysis, the compromised ads were found creating a large number of web miners. What is noteworthy is that in the case of MSN, its homepage was infected with the mining script which happens to be the default page of Microsoft’s browser and the page that Outlook (Hotmail and Live) users are redirected to once they log out from their account.
Moreover, analysts identified 500 other websites infected with the same CoinHive cryptocurrency mining script used on AOL advertising platform.
Upon further analysis, information security training researchers discovered that hackers were running their campaign by hosting malicious content on unsecured Amazon Web Service (AWS) S3 buckets left open for public access apparently by their administrators.
Unsecured AWS buckets have been creating problems for the last couple of years, however, when it comes to cryptocurrency mining Tesla cloud server and LA Times’ website had their AWS buckets compromised to mine Monero cryptocurrency.
As for web miners on AOL and MSN, the Trend Micro information security training professionals believe that a significant number is users may have been impacted. However, the good news is that AOL was notified about the incident whose team was quick to remove the malicious script by March 27th, 2018.
We notified the AOL team about our findings. AOL removed the injected miner and resolved the issue by March 27.
“Organizations should secure and always properly configure their servers to prevent these types of threats. To further protect themselves, they should choose the right cloud security solution based on their specific needs,” concluded the information security training experts.
There are several ways of blocking cryptocurrency minors from using your browser and CPU power including minerBlock and No Coin extensions on Chrome web store developed for the sole purpose of blocking cryptocurrency mining and cryptojacking. Both extensions are open source and open to the public, users can check out the source code on Github.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.