Attackers are Humans Too - On Stealing $24
Browsealoud is a service used by websites wishing to offer automatic text-to-speech services to their readers. Text-to-speech reads the contents of a website back to visitors and can be very useful to the vision impaired. Due to this specific target market, Browsealoud is popular with governmental websites. Indeed, around 5,000 websites including US, UK, Canadian and Indian government websites seem to have been affected by the attack.
Normally, attackers would leverage this kind of access to expose visitors to these websites to malware which can then be used to steal important information or execute ransomware attacks. The infrastructure for doing so is highly developed with every part of the toolchain from infection to management to ransomware payment processing available as turnkey services on the darkweb. This level of service availability makes the effective monetization of successful attacks trivial even for inexperienced attackers.
In this case however the attackers opted to deploy code that would mine Monero - a cryptocurrency that is extremely hard to trace. While browser mining is used by some websites instead of ads and can be profitable at very large scales (i.e. millions of visitors over months), it is a decidedly poor choice for attack monetization.
Once the mining code was injected it only took hours for the attack to be discovered and mitigated. According to Coinhive (the in browser miner used), the attackers mined roughly $24 worth of Monero before they were shut down.
Attackers are humans too
Using traditional monetization strategies, the attackers could likely have generated tens or hundreds of thousands of dollars from the hack. Instead they made $24. While the exact reason behind this miscalculation is unclear, two elements likely plaid a part:
It is likely that the attackers were not experienced in illegal activities. Many successful hacks are performed by so-called Script Kiddies - individuals with very little information security knowledge that rely on tools to perform the attacks for them. While Script Kiddies lack the technical skill to perform sophisticated attacks, there are very many of them. When a Script Kiddie succeeds in an attack, the situation is often similar to the proverbial dog having caught the car. With no monetization and anonymization strategy in place, the attackers panic and often fall back on simple defacements or easy to track scams.
Cryptocurrencies are a hot topic and commodity at this point in time. An inexperienced attacker is likely to have a shaky understanding of how these currencies work. This shakey understanding would include phrasing such as “hard to trace” and “can be mined”. Installing a browser-based miner to mine a cryptocurrency known for its anonymity thus seems like a valid monetization strategy on the surface. The fact that browser mining is extremely inefficient and that the attack will be shut down within hours are variables likely to escape inexperienced attackers.
The Browsealoud hack is a good example of likely inexperienced attackers catching the proverbial car and performing extremely poorly when it comes to converting their newly gained access to actual gain.
While this attack may seem strange, the majority of attacks against low- and mid-level targets are performed by just such automated tools run by inexperienced attackers.
Incident response plans created by large organizations and information security providers usually work on the assumption of an attacker behaving rationally and having strategies in place to monetize an attack perfectly. While this is certainly true for high-level attacks against high-level targets, it is worth keeping in mind that many other attacks are performed by amateurs who will - for better or worse - behave irrationally.