Recent Web Attack Alerts from Norton Security
On July 25 2018, Norton became aware on a large scale crypto-jacking attack affecting customers in Brazil. Norton customers experiencing this attack were seeing repeated blocking alerts from Norton Security. The alert specifically reads “Norton blocked an Web Attack: JSCoinminer Download 6” or “Norton blocked an Web Attack: JSCoinminer Download 8” (refer to the screenshots in Portuguese below)
Web attack notification alerts in Portuguese
For Norton Security customers the good news was that they were protected from these attacks. The alerts are notification to our customers that Norton Security detected a coin-mining attack and successfully blocked the attack.
However these attacks were preventing our customers from visiting legitimate websites. In investigating the issue further Norton discovered that these attacks were not coming from legitimate websites, but from routers that were directing internet traffic from our customer’s machines to the legitimate web sites. This type of attack is called web injection, because malicious code is injected in the communication between a website and a browser.
As part of our investigation we were able to discover the exact routers involved and where they were located. We also we able to pinpoint the method, or vulnerability, attackers were using to compromise these routers.
This information has been passed on to the proper authorities in order to get these infections removed.
Recommendations to Norton Security customers
Our customers in Brazil are and will continue to be protected by Norton Security from the coin-mining attacks. This may mean in the short term that our customers are blocked from visiting some websites. We are working with the proper authorities to get the infected systems cleaned up so normal internet access is restored.
Also, refer Symantec Blog article "Postmortem of a Compromised MikroTik Router " for more details.