Cyber Incident Victim: BlackBerry
Date:
Jan 2018
Location:
Canada
Summary
Attackers compromised the BlackBerry Mobile website by exploiting a critical vulnerability in Magento e-commerce software, injecting Coinhive's cryptocurrency mining script to covertly mine Monero using visitors' computational resources. The unauthorized code, discovered by users analyzing the site's source code, affected only the global version of the platform before being removed. Coinhive confirmed the incident resulted from malicious actors hacking multiple websites with the same compromised account, which was subsequently terminated for violating service terms. This unauthorized cryptojacking operation mirrored broader trends of attackers leveraging web infrastructure weaknesses to deploy in-browser miners.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 6, 2018, a Reddit user operating under the pseudonym "Rundvleeskroket" publicly disclosed that the official BlackBerry Mobile website (blackberrymobile.com) had been compromised to covertly execute cryptocurrency mining code. The user reported that a friend identified the Coinhive in-browser mining script embedded within the site's source code, specifically noting its presence on the global version of the website while regional subdomains (such as those for Canada, the EU, and the US) remained unaffected. A screenshot of the malicious code was shared as evidence, corroborating claims that visitor CPU resources were being harnessed to mine Monero cryptocurrency without consent. The Reddit post further indicated the issue was originally identified by another user ("cryptocripples") in the r/security subreddit. Subsequent analysis by Coinhive, the service provider of the mining script, confirmed unauthorized use of their platform through a compromised Magento e-commerce software vulnerability. Coinhive terminated the associated account after determining it had been leveraged to attack multiple websites in violation of their terms of service.
The incident reflected a broader trend of threat actors exploiting web infrastructure vulnerabilities to deploy cryptocurrency miners. Coinhive's investigation attributed the BlackBerry Mobile compromise to attackers exploiting a critical security flaw in Magento, though specific technical details of the intrusion were not disclosed. The malicious script was removed from the BlackBerry Mobile site following public exposure, though the timeline and internal remediation steps taken by BlackBerry were not detailed in available reports. This event occurred amid a surge in similar attacks, including a December 2017 Sucuri report identifying approximately 5,500 compromised WordPress sites running covert miners and a November 2017 campaign affecting 1,833 sites via malicious scripts masquerading as legitimate jQuery and Google Analytics files. The financial impact on BlackBerry Mobile or its website visitors was not quantified, but the compromise undermined trust in the company's digital assets and highlighted risks associated with unpatched e-commerce platforms.