Ad network circumvents blockers to hijack browsers for cryptocurrency mining

An advertising network has come up with a way to ignore ad blockers in order to serve cryptocurrency mining scripts to visitors.
Written by Charlie Osborne, Contributing Writer

Researchers have discovered an advertising network which has figured out a way to bypass ad blocking software in order to serve website visitors with cryptojacking scripts.

This week, cybersecurity researchers from Netlab 306 revealed the scheme, which impacted visitors to websites which used the firm's advertising network.

Since 2017, the unnamed company has been able to bypass ad blockers by using domain DGA technology to generate random domain addresses, ensuring adverts reach end users.

While there is nothing technically wrong with this technique in order to serve adverts, the reason for using it is -- in order to steal computing power to mine cryptocurrency.

One of the most popular online mining scripts available today is CoinHive, which can be installed in web page coding to borrow additional power from CPUs when visitors view the page.

While this uses a small amount of power used to mine the Monero cryptocurrency, if this script is served on websites with heavy traffic, the trickle of mined cryptocurrency can turn into a flood.

Some website operators have experimented with miners to replace advertising altogether, and while the idea does hold merit, it should not be performed without user consent.

The advertising network in question generated domains the researchers have called DGA.popad, and cryptojacking occurred "without end-user acknowledgment."

"The confrontation between ad network companies and ad blocking plug-ins is nothing new, but [an] ad network participating [in] web mining using dga domains deserves our attention," Netlab says.

The researchers found that adverts, when viewed and clicked on, would serve the coinhive.min.js website cryptocurrency miner.

Netlab says that as these domains change daily, blocking the cryptojacking script is difficult -- even if the website operators using this network are aware of what is happening in the first place.

Several of the domains running these scripts ranked as highly as 2000 in the Alexa top website list, which suggests traffic levels are likely to be high. When visited, some of these domains would rack up CPU usage to 100 percent.

"We looked up the history of the last two months, and the result suggests that the majority of these impacted are websites providing porn and downloading services," the team added.

See also: Cryptocurrency miners bought 3 million GPUs in 2017

Netlab's discovery is recent and so a thorough exploration and details relating to how much the ad network has made and which wallets it uses are currently not available.

However, with so much money to be made through cryptojacking, it would not be surprising if we see more of these schemes in the future as a replacement for traditional malvertising.

In January, threat actors exploited Tesla's cloud environments with cryptojacking scripts. An unprotected Kubernates console was the root cause of the issue, which allowed attackers to compromise Tesla's Amazon Web Services (AWS) systems.

10 things you didn't know about the Dark Web

Previous and related coverage

Editorial standards