It looks like Airasia’s Bigprepaid.com is not the only website affected by a hidden cryptocurrency mining breach today.
Tuneprotect.com, which is owned and operated under the Tune Group banner is also affected by a similar breach.
Digging through the source code of both sites, we have managed to locate some of the offending script embedded via an encrypted javascript call to https://coin-hive.com/lib/coinhive.min.js.
Coinhive in itself offers a Javascript miner for the Monero Blockchain. They allow you to embed their code legally on your website so that visitors help you mine XMR as they browse your site. Its totally up to the website owner whether to inform the users that their CPU cycles are being used for mining or otherwise.
However in both the incidences of Bigprepaid and Tuneprotect, the code was encrypted and hidden so we are quite sure that this was done with some malicious intent to avoid the cryptocurrency miner being detected by users, or even the legitimate owners of the site.
At time of writing, the site remains up and running.
(UPDATE – 7PM):
The offending code has been removed from the site.
(UPDATE – 824PM):
Tune Protect has released a short statement regarding today’s incident, as shown in its fully below:
Today we were made aware of an unauthorised cryptocurrency mining Javascript on Tune Protect’s website. As an immediate response, we have removed the script from our website and we are investigating to identify the source of the script.
We would like to assure our customers that we take their privacy seriously and have strong controls in place to protect their data. There are no personal data nor information breaches from this issue. – Razman Hafidz Abu Zarim, Group CEO, Tune Protect Group Berhad.
In general, the statement seems to be similar to the one released for AirAsia BIG Prepaid’s incident. Nevertheless, Tune Protect existing and potential customers should now be able to browse the website without worrying about unauthorized use by cryptocurrency script.
