Government websites in the USA and the United Kingdom were used to secretly mine cryptocurrency.
The security consultant was made aware of the scheme after another security expert, Ian Thornton-Trump, pointed out that the ICO's website had a cryptominer installed within the domain's coding. After digging for more information, he found that every webpage on the website was compromised by a Coinhive script loaded from a third-party library, not by some code hosted by ICO themselves.
The good news is the attack took place on Sunday morning and Texthelp has been quick to recognise the issue and take its service temporarily offline to fix it.
The cryptocurrency involved was Monero - a rival to bitcoin that is created to make transactions in it "untraceable" for senders and recipients. Embedded in all of the affected sites, TextHelp's BrowseAloud software offers accessibility services to those with visual or literacy impairments who are browsing the web.
Met Office issue Derbyshire yellow warning of ice and snow for Sunday
Rain and hill snow is expected to arrive tonight, turning increasingly to snow at lower levels. Highest temperatures of 4 to 7 degrees.
According to the Register, the tainted version of Browsealoud caused inserted software for mining the digital currency Monero to run on computers that visited infected sites, generating money for the hackers behind the attack, The Register said. If a hacker wants to infect four thousand websites it's likely to be a lot less effort tamper with one third-party script which is used by four thousand websites than compromise each website one-by-one.
Browsealoud is used on a huge number of websites, according to search engine PublicWWW, including manchester.gov.uk, newham.gov.uk, york.gov.uk, croydon.gov.uk and at least 32 other websites on the '.gov.uk' domain.
Websites affected included the Student Loans Company, Barnsley Hospital and other worldwide companies and sites. "When we looked at domains running the cryptocurrency mining script Coinhive, we found many examples of typosquatting and domain infringement". Browsealoud maker Texthelp also claims to have detected the malware file modifications and has issued a statement confirming that no customer data was involved in the incident.
On Sunday, the UK National Cyber Security Center (NCSC), part of the GCHQ intelligence agency, said that there is "nothing to suggest that members of the public are at risk".
"The attacker added malicious code to the file to use the browser CPU in an attempt to illegally generate cryptocurrency".