At least two council websites fell victim to cryptojackers last weekend without anybody realising, leaving visitors to the sites unwittingly helping hackers mine for cryptocurrency.
The Porirua City Council and Whangarei District Council are among several thousand sites internationally that were caught up in what Netsafe has called a "benign" attack.
Porirua City Council's chief information officer Steve McIntosh said the website itself was not compromised. But anyone visiting the site during the attack downloaded malicious code without realising it.
On Sunday, 4275 websites, including the US Courts site and the UK's Information Commissioner's Office site were running a script that had been altered to add a Coinhive crypto miner to any page it was loaded into.
"People who visited that website over the weekend, they would have seen their CPU, the brains of their computers, spike up to an enormous amount of activity suddenly," said Netsafe's director of technology Sean Lyons.
"They were being used to mine cryptocurrency without their knowledge, without their host's knowledge."
The practice is called "cryptojacking" and is when hackers use people's computers to "build small parts of cryptocurrency" such as Bitcoin.
The hack was "at the benign end of what could happen".
"What people are doing is they're using your processing power, they're using your computer, albeit for a short space of time, as part of a giant hive of computers to help them generate money."
Affected people would discover their devices were running "massively slow" while they were on the site.
"Often people wouldn't notice. People would just say 'I wonder why my fans have started running' or 'I wonder why my computer's slowed down'."
In theory if they stayed on the site long enough their CPU could overheat and cause physical damage to the computer, but that was unlikely, he said.
After being contacted by the Herald, a council spokeswoman said on Tuesday that as far as they were aware, the website had not been cryptojacked.
But screenshots show the site was still running the compromised script yesterday, a text-to-speech accessibility script called BrowseAloud by TextHelp.com. Security researcher Scott Helme posted on Twitter, saying it appeared the script was altered between about 3am and 1.20pm on Sunday (GMT).
The script was no longer on the council site this morning.
"Our website was not compromised in any way," McIntosh said in a statement.
"We were using the third party plugin BrowseAloud to enable people with sight impairments to 'read' our site. BrowseAloud converts website text to audio. Customers who used this plugin load it directly from the Browsealoud website not the Porirua City Council website."
The Whangarei District Council, which is still running the script, has been contacted for comment.
Lyons said this type of hack was sometimes referred to as a "drive-by exploit", when visitors to the site went there for something else but ended up being harmed by something else in the process.
"There are ways to stop these kinds of exploits but it does take time and it does take resource to do that, so sometimes we know when things do slip through ... you find yourself in situations where you put yourselves and the people who use your website potentially in harm's way."
If websites had "holes" and vulnerabilities that allowed such things to happen, then "the world's your oyster as far as the hacker's concerned".
"They could be at that point trying to put similar software on your computer that causes a chain reaction across the internet."
Hackers could potentially dig for sensitive details including names, passwords, logins, emails, or, on the more serious end, driver's licence details, passport numbers, and bank details.
Anyone using their banking details on the council website was not at risk from the vulnerability, though, as the parts of the site used for payments were hosted elsewhere.
Lyons said people managing public websites should run firewalls and run systems on the servers, and these would stop 99 per cent of attacks.
In a statement released on Sunday, the third party provider Texthelp confirmed their BrowseAloud script had been compromised in a cyber attack.
"The attacker added malicious code to the file to use the browser CPU in an attempt to illegally generate cryptocurrency. This was a criminal act," said chief technology officer Martin McKay in the statement.
"Texthelp is working with the National Crime Agency and The National Cyber Security Centre to pursue the investigation further."