Cryptojackers are getting resourceful and have figured out how to bypass ad-blocking software and deliver the Coinhive JavaScript miner via browser-based ads. Researchers at Qihoo’s Netlab 360 said it recently spotted an advertising network that was using what is called a domain generation algorithm tool to evade ad-blocking tools and serve up ads that link to landing pages that contain the cryptominer Coinhive.
Researchers are not identifying the ad network, but they said that since 2017 the provider has used domain generation algorithms (DGA) to effectively circumvent ad blockers.
“Starting from 2017-12, the bar got raised again and we began to see these DGA.popad domains participating in cryptojacking without end-users acknowledgement,” Zhang Zaifeng, researcher with Netlab 360, wrote in a post.
Domain generation algorithms are typically used to randomly generate new domains at intervals so that by the time ad blockers detect the domain as advertising, a new domain has already been generated.
“The confrontation between ad network companies and ad blocking plug-ins is nothing new, but ad network participating web mining using dga domains deserves our attention,” Zaifeng said.
Coinhive’s JavaScript miner software is often used by hackers, who secretly embed the code into websites and then mine Monero currency by tapping the CPU processing power of site visitors’ phones, tablets and computers.
In the case of the rogue ads identified by Netlab 360, victims visit a site that has the malicious ads and if they click on the ads they are redirected to a popad.net domain that contains the Coinhive JavaScript. If the user is utilizing an ad blocker then the domain popad.net used to serve the ad is blocked. This is where the cryptojacker has planted a JavaScript code that can detect the ad blocker and switch the popad.net domain to one of the cryptojacker’s DGA.popad domains that loads an ad that links back to the Coinhive cryptominer.
“For a fact check, we tried to visit one of this website, the moment we load the page, CPU utilization soared to 100%,” wrote Zaifeng.
While the mining profits are unknown, Netlab 360 said there may be many users impacted by the cryptojacking, and some of the DGA.popad domains made Alexa’s top 2,000 ranking – indicating that web traffic is high.
The researchers said that the websites running the DGA-scrambled ads were mostly pornography websites and similar sites typically used as bait in scams.
Researchers described several attack scenarios when ad blocking software is in use. In one example, “since ad block is enabled, domain serve.popad.net was blocked. This provider’s (JavaScript) code will switched to one of the DGA.popad domain name.” In another example, a domain “will load the advertisement, as well as the cryptojacking.”
Cryptojacking has taken off in the past year – in the past week, researchers have found cryptojacking code hidden on the Los Angeles Times’ interactive Homicide Report webpage that was quietly harnessing visitors’ CPUs to mine Monero cryptocurrency.
“Cryptojacking won’t go away,” Troy Mursch, researcher with Bad Packets Report, told Threatpost. “It’s something that will stay around for awhile. For the websites that are impacted, it will leave a bad taste in the mouth of users.”
