The Make a Wish Foundation’s official website fell victim to a hacking operation this past week. The hacker embedded CoinImp crypto mining software into the foundations official website https://worldwish.org/.
The information regarding the hack was revealed earlier today (Nov. 19th 2018) in an official blog post by Simon Kenin on the official Trustwave website. Trustwave’s Elite SpiderLabs Division noticed something a bit fishy during a routine scan earlier this week.
While Malware hits during routine scans are nothing Kenin see’s as out of the ordinary, what grabbed his eye is when one CoinImp detection came from a ‘.org’ domain. Kenin states that seeing an infected .org or .gov domain is not unheard-of or uncommon, this domain particularly grabbed his eye.
As stated earlier, WorldWish.org is the official website for The Make a Wish Foundation. The Make a Wish Foundation is an international charity organization that grants the wishes of terminally or seriously ill children.
After detecting the infected domain, Kenin checked the address to ensure that it wasn’t a mirrored or clone of the site. After further investigation it was found that the site was indeed the real thing and CoinImp crypto mining malware was active on the site.
The site had been compromised and the malicious code had been embedded into the website. The malware utilizes the computing power of the visitors of the site to mine cryptocurrency, that is then sent into the cyber criminals wallets.
Kenin states “It’s a shame when criminals target anyone but targeting a charity just before the holiday season? That’s low.”
The criminals attempted to shield their operation from detection by hosting their mining script on the domain “drupalupdates.tk”. Kenin continues on to say…
Trustwave was able to detect and alert the Make a Wish Foundation quickly because of its dynamic analysis abilities. Kenin states that the Make a Wish Foundation has been notified of the CoinImp malware embedded into it’s site but they have yet to state what they have done to take care of the problem.
It’s currently still unclear how long the the malware has been embedded on https://worldwish.org/ and how much crypto was mined during its time. What can be concluded is that the hackers could’ve easily mined a couple thousand dollars worth of crypto over a short period of time due to the high amount of traffic the site receives.
What’s up with crypto mining malware?
It’s important to note that detecting crypto mining malware can be hard even for state of the art web analysis tools such as Trustwave. What makes it so hard is that some smaller websites genuinely utilize crypto mining software in their websites to generate extra income. Kenin explains as follows.
“The Cryptojacking phenomenon is so widely spread that it is sometimes hard to tell whether a website is infected with malware or the mining code was genuinely added by the site owner. This is especially true of smaller sites, who might use cryptomining in a legitimate source of income but whose ability to secure their website might also be limited putting them at risk of cryptojacking compromise.”
What can make it even harder for web analysts to detect malicious crypto mining software is that hackers and genuine users sometimes use identical code. This can lead to analysts having to conduct individual investigations to determine what’s malicious and what’s not.
Though its a terrible thing the crypto mining hacker targeted a charity, the positive thing is that there are no victims. While the malware does benefit the hacker financially, he or she did not steal that money directly from any person or charity. Malicious crypto mining is a victimless crime. Although, who is so heartless to target a charity? Especially during the holiday season.