The scourge of drive-by currency mining—in which websites and apps covertly run resource-draining code on other people's devices—shows no sign of abating. Over the weekend, researchers added two more incidents: one involves more than 4,200 sites (some operated by government agencies), while the other targets millions of Android devices.

The first incident affected sites that offer a free text-to-speech translation service called Browsealoud. On Sunday, someone changed the JavaScript code hosted here to include currency-mining code from Coinhive, a controversial site that uses the devices of site visitors, usually without their permission, to generate digital coin known as Monero.

In the process, any site that included a link to the Browsealoud JavaScript suddenly saddled its visitors with code that used 60 percent of its CPU resources, with no attempt to warn end users or get their permission (by default, Coinhive code uses 100 percent). Search results show that the breach affected 4,275 sites, including those operated by the UK government's Information Commissioner's Office, US federal courts, and the state of Indiana. The CTO of Texthelp, the company that offers Browsealoud, issued a statement saying it suspended the service until Tuesday. The move put an end to the illicit mass mining, which lasted about four hours. At no time was customer data accessed or lost, the statement said.

Trusthelp officials didn't respond to questions asking how the offending JavaScript wound up being hosted on its Internet domain in the first place. The company was also silent about what it is doing to ensure similar episodes don't happen again.

Millions of Android devices targeted

This is the second incident of surreptitious mass mining targeted millions of Android devices since as early as November, security provider Malwarebytes said Monday. The campaign presents a webpage to unsuspecting users warning that their device is showing suspicious signs. The site directs them to complete a CAPTCHA to prove their device is being controlled by a human rather than a malicious script. Until the end user completes the CAPTCHA, the device runs resource-exhausting code that mines Monero on behalf of the attackers.

A quick analysis of two of the five sites known so far to display the code-mining CAPTCHAs indicates the campaign is snaring tens of millions of devices. Results returned by SimilarWeb showed that rcyclmnr[].com received 34.2 million visits since November, with 98.5 percent of the visits coming from mobile devices. A separate page used in the campaign, recycloped[.]com, received 32.3 million visits, with 95 percent of its vists coming from mobile devices.

Malwarebytes researchers estimated that the five domains collectively received an average of 800,000 visits per day. Each visit to the mining page, according to Malwarebytes, lasted an average of four minutes. The researchers said that redirect scripts were responsible, but they also suspect malicious apps may have played a role.

"Because of the low hash rate and the limited time spent mining, we estimate this scheme is probably only netting a few thousand dollars each month," Malwarebytes lead malware intelligence analyst Jérôme Segura wrote in Monday's report. "However, as cryptocurrencies continue to gain value, this amount could easily be multiplied a few times over."

The minimal benefit to the drive-by mining scammers is in stark contrast to its effects on end users. Currency-mining scripts that run on PCs for extended periods of time have the potential to consume considerable amounts of electricity and even render some affected companies unable to operate because of the strain the miners put on servers and the network bandwidth the miners consume. Researchers at Kaspersky Lab, meanwhile, recently documented an Android miner that was so aggressive it physically damaged the phone it ran on.

Preventing the types of incidents that hijack hosted JavaScript is possible though a precaution known as "subresource integrity." Scott Helme, the researcher who first reported the Browsealoud JavaScript compromise, has a useful description of the subresource integrity technique here. Stopping drive-by mining campaigns that rely on malvertising or malicious apps is becoming increasingly difficult, although end users can usually protect themselves by running AV programs from Malwarebytes and many other providers.

But there's a much bigger risk to currency miners that often goes overlooked. If someone can control the JavaScript that the US court system and thousands of other organizations load into their webpages, they can potentially exploit critical browser flaws, steal log-in credentials, and perform other malicious acts. As offensive as drive-by mining is, it's one of the more benign offenses that can result from malicious code that gets executed on our devices.