More than 4,000 websites may have fallen victim to crypto-jacking — when computers are secretly made to mine cryptocurrency.

UK security researcher Scott Helme discovered the malicious software on Sunday, which he said was "definitely mining".

The compromised website plug-in responsible has now been taken offline.

Locally, websites that appear to have been affected include the Queensland Government's legislation website, the Queensland Civil and Administrative Tribunal and the Victorian Parliament.

In the UK, websites run by the National Health System, the UK's Student Loans Company and the Northern Powergrid were also impacted (you can see which other websites were affected here).

Loading

Mr Helme said he found the compromised JavaScript file on Sunday morning after a friend's anti-virus program set off an alert on the site of the UK Information Commissioner's Office.

He found the malicious script and traced it back to its source: a website plug-in called Browsealoud, which helps people with low vision, dyslexia and low literacy access the internet.

"If you want to load a crypto miner on 1,000+ websites you don't attack 1,000+ websites, you attack the 1 website that they all load content from," Mr Helme wrote on his blog.

The hack added a Coinhive program to the affected websites, which uses computer power to mine the Monero cryptocurrency when the browser window is loaded.

Mr Helme's analysis suggests the software was online for about four hours before the company that owns the plug-in, Texthelp, acted.

In a statement, Martin McKay, Texthelp's chief technology officer, said the compromise was a criminal act and was being investigated.

"Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline," he added.

The situation could have been much worse

Mr Helme said using the same technique, malicious actors could have injected a range of malware into the websites.

For example, they could have installed a keylogger that tracks people entering usernames and passwords, a malicious software update or a virus.

"At this point, the attacker is limited by their imagination," he said.

"Right now, the worst-case scenario is you probably made some money for a criminal gang."

Australian cybersecurity researcher Troy Hunt (who runs online security workshops with Mr Helme) suggested Australia may have "gotten off lightly" thanks to the country's time zone. Most Australians would have been asleep while the compromised plug-in was operational.

"There was an awful lot more [the hacker] could have done," Mr Hunt said.

"Once you can run your own javascript on someone else's website, you can do basically anything."

For the moment, it is not clear how the perpetrators altered the plug-in.

Texthelp are yet to disclose whether an employee's credentials were stolen, whether the company's webhost was compromised or some other means.

Although responsibility ultimately lies with Texthelp, Mr Helme suggested government websites should be held to a higher security standard if they use third-party services, such as Browsealoud.

Many websites use outside providers for everything from fonts to accessibility tools, which provide an additional gateway for bad actors.

"There are technical measures that exist to protect against exactly this kind of thing. This is not a new problem," Mr Helme said.

Mr Hunt agreed the incident was a wakeup call.

There are ways of mitigating the risk. For example, he suggested, ensuring that scripts are only run if they look a certain way or only loading scripts from certain locations.

"In fairness, [the affected websites] are not out of step with the industry," Mr Hunt said. "Websites in general have to get more serious about what they will trust to run."

The UK National Cyber Security Centre said it was investigating the incident:

"At this stage there is nothing to suggest that members of the public are at risk."

The Queensland Civil and Administrative Tribunal said it has disabled the Browsealoud plug-in on its website.

The Queensland Government, the Victorian Parliament and the Australian Cyber Security Centre have been contacted for comment.