Make A Wish Foundation Website Infected with CoinImp Crypto Mining Malware
The Make A Wish Foundation made one hacker’s wish come true this past week when it allowed its official website to be infected with the CoinImp crypto mining malware.
As revealed in a report from Trustwave, the Make a Wish Foundation’s official website, https://worldwish.org/, was recently discovered to be infected with the CoinImp crypto mining malware during a routine scan.
WorldWish.org is the official website of the Make A Wish Foundation, the international organization that grants wishes to children with serious illnesses and other conditions.
Trustwave’s elite SpiderLabs division spotted the crypto mining malware during a scan. Trustwave describes its SpiderLabs team as “an elite team of ethical hackers, forensic investigators and researchers helping organizations fight cybercrime, protect data and reduce risk.”
During the scan, security researchers found that the Make A Wish Foundation’s official website had been cryptojacked. The site was embedded with a script that stole the computing power of website visitors, then used that computing power to mine cryptocurrencies.
The cryptocurrencies were presumably funneled to crypto wallets of hackers around the world, creating enormous profits.
It’s unclear how long the malware was in place. We also don’t know the value of the cryptocurrencies mined during the attack. On a high-traffic website like the Make a Wish Foundation, even a few days’ worth of traffic could generate thousands of dollars in crypto profits.
Hackers Used Various Techniques to Avoid Detection
Hackers used a number of techniques to avoid detection of their cryptojacking attack.
Meanwhile, the hackers also adjusted the WebSocket proxy to use different domains and IPs, thereby making blacklist solutions obsolete.
Nevertheless, Trustwave’s SWG detection system, which uses dynamic web analysis to detect threats, still managed to detect the infection despite the hackers’ best attempts. The SpiderLabs team identified the threat and alerted the Make A Wish Foundation shortly thereafter.
Detecting Cryptojacking Attacks is Difficult
Detecting cryptojacking attacks isn’t easy – even using advanced web analysis tools like the one created by Trustwave.
Part of the problem is that some smaller websites legitimately use crypto-mining systems as a form of income. Instead of advertising, for example, smaller websites might use crypto-mining systems to generate revenue. Website visitors contribute processing power to the website, and the website uses that processing power to profitably mine crypto.
Legitimate crypto-mining code is difficult to distinguish from malicious mining code. In fact, some smaller websites use identical code
The Make a Wish Foundation Has Removed the Code from Its Website
Trustwave reportedly reached out to the Make A Wish Foundation with the results of their scan.
The organization did not respond, although the crypto-mining malware has since been removed from the official website.
Did a Make A Wish Foundation employee install the crypto-mining malware intentionally? Or was this an attack by a malicious third party? Until further information appears alone, it’s impossible to say.
Countless websites have been cryptojacked over the last year. Hacking a charity organization’s website in the months before Christmas, however, seems particularly nefarious. Fortunately, as with other cryptojacking attacks, it’s a largely victimless crime: website visitors around the world have had their computing power stolen, but nobody really lost money. Stay tuned for more information as the Make A Wish Foundation cryptojacking attack story continues to unfold.