Researchers are not identifying the ad network, but they said that since 2017 the provider has used domain generation algorithms (DGA) to effectively circumvent ad blockers.
“Starting from 2017-12, the bar got raised again and we began to see these DGA.popad domains participating in cryptojacking without end-users acknowledgement,” Zhang Zaifeng, researcher with Netlab 360, wrote in a post.
Domain generation algorithms are typically used to randomly generate new domains at intervals so that by the time ad blockers detect the domain as advertising, a new domain has already been generated.
“The confrontation between ad network companies and ad blocking plug-ins is nothing new, but ad network participating web mining using dga domains deserves our attention,” Zaifeng said.
“For a fact check, we tried to visit one of this website, the moment we load the page, CPU utilization soared to 100%,” wrote Zaifeng.
While the mining profits are unknown, Netlab 360 said there may be many users impacted by the cryptojacking, and some of the DGA.popad domains made Alexa’s top 2,000 ranking – indicating that web traffic is high.
The researchers said that the websites running the DGA-scrambled ads were mostly pornography websites and similar sites typically used as bait in scams.
Cryptojacking has taken off in the past year – in the past week, researchers have found cryptojacking code hidden on the Los Angeles Times’ interactive Homicide Report webpage that was quietly harnessing visitors’ CPUs to mine Monero cryptocurrency.
“Cryptojacking won’t go away,” Troy Mursch, researcher with Bad Packets Report, told Threatpost. “It’s something that will stay around for awhile. For the websites that are impacted, it will leave a bad taste in the mouth of users.”