UPDATED 20:50 EST / NOVEMBER 19 2018

SECURITY

Make-A-Wish website cryptojacked with increasingly popular CoinImp script

Proving that some hackers have no morals whatsoever, the website of the Make-A-Wish Foundation has been “cryptojacked” to install the increasingly popular cryptomining script.

Discovered by Simon Kenin, a security researcher at Trustwave SpiderLabs, and publicized today, the hack involved unknown hackers accessing the Make-A-Wish website through a Drupal vulnerability dubbed Drupalgeddon 2.

A Drupalgeddon 2 attack takes advantage of Drupal installations that have not patched CVE-2018-7600 and CVE-2018-7602, two vulnerabilities that were first targeted by cryptomining hackers in May.

Although the attack was notable for its target, prompting The Register to ask, “Do they accept Monero in hell?” the more interesting part of the attack was the deployment of an increasingly popular form of cryptomining script.

Called CoinImp, the coin mining script first became available in December and works in a similar fashion to market leader Coinhive. Users insert javascript code on a website and visitors to the site have their computer hijacked to mine for the Monero or another cryptocurrency called webchain.network while they are visiting.

CoinImp takes a 1 percent fee on mined cryptocurrency and also offers a referral program that allows script users to sign up others to get a percentage of what their referrals mine.

“What’s interesting about this particular campaign is that it uses different techniques to avoid static detections,” Kenin wrote. “It starts with changing the domain name that hosts the JavaScript miner, which is itself obfuscated…. The WebSocket proxy also uses different domains and IPs which make blacklist solutions obsolete.”

The ability for the script to be obfuscated by traditional blacklist solutions, such as antivirus software and similar products, may result in more attacks using the script occurring.

“The CoinIMP cryptominer is growing rapidly in popularity and the combination of a well-trafficked charity site paired with the season of giving made this the perfect target for a large-scale cyberattack,” a spokesperson for Trustwave told SiliconANGLE.

Kenin noted that enterprises and other website owners should deploy endpoint protection capable of detecting cryptominers, monitor changes to their website and audit those changes to make sure they were authorized and always make sure that their website software is up-to-date with patches.

Image: CoinImp

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU