The official ICO logo.

The United States Courts Cryptojacking Attack

For a period of time in 2018, the website of the United States Courts, along with the websites of several other Government Agencies, were loading infected JavaScript from a 3rd-party supplier. The JavaScript had been infected with a Cryptocurrency Miner that would run in the browsers of visitors to those sites, an attack known as Cryptojacking.

The 3rd-party supplier, TextHelp, were compromised and their JavaScript file was modified, but over 5,000 sites, including that of the US Courts, continued to load it. There was no visual impact as a result of the breach, which is why it went unnoticed for so long, but there are reliable ways to detect and prevent incidents like this from happening.

The Fundamentals of a Cryptohacking Attack

For a Cryptojacking Attack to succeed, an attacker needs to do only the following:

  • Inject the Cryptocurrency Miner into the page, or a dependency of the page.
  • Send the Cryptocurrency to their wallet as your visitors mine it for them.

An attacker will want to place the Cryptocurrency Miner on as many pages of your site as possible, and have it go undetected for as long as possible, to give them the opportunity to steal as much Cryptocurrency as possible. Whilst any visitor is on your site, their device will be used to mine Cryptocurrency and send it to the attackers.

Managing JavaScript Dependencies

Using a Content Security Policy, organisations can take strict control of what JavaScript dependencies are expected and permitted to load across their site and with Script Watch, you can even monitor those dependencies on an ongoing basis and be notified about any changes. When TextHelp was compromised and began loading the additional dependencies for Cryptocurreny Mining, site operators would have been notified about the change in their JavaScript Dependencies.

Alongside a Content Security Policy, the use of Subresource Integrity allows a site operator to ensure that any JavaScript permitted to load has not been tampered with and remains free of malicious code. Report URI always recommends the use of SRI on any 3rd-party JavaScript, in addition to our detection capabilities for Cryptojacking Attacks.

for 2018 we found that Cryptojacking had a 35 percent share of all web threats

- Webroot

Monitoring Data Exfiltration

Once the Cryptocurrency has been mined in the browsers of your visitors, it needs to be sent off to the attackers and this is another opportunity to spot that an attack is taking place, by detecting this new communication.

Content Security Policy allows you to take full control of where your site can send data, and, using Data Watch, you can be notified if your pages start sending data to a new location.

No money was taken from users themselves, but the mining code performed computationally intensive operations that were used to earn the cryptocurrency.

- UK NCSC (Malicious software used to illegally mine cryptocurrency)

How we can help

You don't need to spend time developing and maturing a Content Security Policy to work perfectly on your site in order to leverage our tooling. To use products like Script Watch or Data Watch, you can get started with auditing your JavaScript Dependencies and Data Exfiltration Endpoints with a single line of code or config.

Once that single line of code or config is deployed, we can establish a baseline for your site and then our Script Watch and Data Watch products will monitor and alert you to any changes on your site for you to investigate immediately. Often, one of the most damaging aspects of a Magecart attack is that they can go undetected for days, weeks or even months, increasing the scale of the Data Breach as they go.

In addition to this, we have a selection of features and tools detailed below that will help you get started with CSP and work through to enforcing a policy across your whole site, but please reach out to if you need more information.

Off-loading the hardware outlay and operational expenses of dedicated cryptomining machines on to others offers potential profit without overheads

- Queen's University Belfast (You Could Be Mine(d): The Rise of Cryptojacking)

Script Watch

Script Watch will monitor all JavaScript dependencies across your entire site and immediately notify you of any changes. A new JavaScript dependency could be the start of a Magecart attack.

Because Script Watch leverages the browser native Content Security Policy, there is no code or agent to deploy and running in the browser means we analyse your site in real-time as your users are browsing. We don't have the same limitations as external scanning services such as authentication or pay walls, geo-sensitive content or an attacker potentially serving safe content to the crawler.

Read More

Data Watch

Data Watch will monitor all of the locations that your webpages are sending data to. If your website starts sending data to a new location, it could be the start of a Magecart attack.

With Script Watch and Data Watch combined, you can monitor for clear indicators that your site has been compromised. Attackers will always want to inject their hostile JavaScript, and they'll always want to exfiltrate their stolen data.

Read More

The CSP Wizard

We often find that creating a CSP is the first difficult step that organisations face. Having a complete list of all resource dependencies across your entire site like images, scripts or styles, from both 1st-party and 3rd-party locations, is tough to achieve.

The CSP Wizard was created to solve this problem, and in seven days or less, it can you give a complete list of all resources used across your entire site.

With the list of all resources you use on your site, and our easy to use tool, creating a viable Content Security Policy is easier than ever with just a few clicks.


The CSP Builder

All Content Security Policies will need to be tweaked at some point. New resources may be added to the site or old resources removed, and the policy needs to be updated to reflect those changes and kept up to date.

You can import your existing policy into the CSP Builder and use our fully featured tool to make any changes that you require right there in the UI. When you're done, hit Generate, and the CSP Builder will provide you with your new, updated policy.

CSP Builder

Content Security Policy

Script Watch and Data Watch will allow you to rapidly detect and respond to a Magecart attack and combined, that capability puts you ahead of the field. If you want to take it a step further, Content Security Policy can mitigate a Magecart attack and stop it from even happening.

Deploying an effective Content Security Policy can be difficult, but our CSP Reporting allows you to gather feedback and safely test a policy before deployment. Once deployed, an effective Content Security Policy will block a Magecart attack and stop the hostile JavaScript from even running.

Read More

Threat Intelligence

We subscribe to various feeds of Threat Intelligence data, along with managing our own internally generated feeds, to keep apprised of the latest threats that exist online.

Using this Threat Intelligence Data, we can better analyse the sources of JavaScript on your website and detect malicious activity sooner.

Read More