Google DoubleClick targeted by cyber-scammers looking to propagate Coinhive cryptocurrency mining malware

Coinhive exploits Javascript flaws to mine for cryptocurrencies at the expense of web users

Google's DoubleClick online advertising network has been targeted by groups trying to propagate the Coinhive cryptocurrency miner malware, according to security firm Trend Micro.

Researchers at the company recently found that cyber crime gangs are deploying advertisements on high-traffic websites that use Coinhive as well as separate web mining services that connect to private pools.

Attackers are also tapping into Google's DoubleClick, which powers much of the internet's ad services, to distribute dodgy adverts. Affected countries include Japan, France, Taiwan, Italy, and Spain.

The firm said it's already disclosed these findings to Google. "We detected an almost 285% increase in the number of Coinhive miners on January 24. We started seeing an increase in traffic to five malicious domains on January 18," it said.

"After closely examining the network traffic, we discovered that the traffic came from DoubleClick advertisements."

After analysing malvertisement-riddled pages, the security bods identified two different web miner scripts as well as one that displays advertisements using DoubleClick.

The webpages deceive users by showing legitimate advertisements while "the two web miners covertly perform their tasks". They're unaware that this is happening.

Trend Micro explained: "We speculate that the attackers' use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices."

The adverts use a JavaScript code "that generates a random number between variables 1 and 101". It's capable of mining 80 per cent of a computer's CPU power, said the firm.

"After de-obfuscating the private web miner called mqoj_1.js, there will be a JavaScript code that is still based on Coinhive," explained the firm.

"The modified web miner will use a different mining pool at wss[:]//ws[.]l33tsite[.]info[:]8443. This is done to avoid Coinhive's 30% commission fee."

To avoid this issue, Trend Micro explained: "Blocking JavaScript-based applications from running on browsers can prevent Coinhive miners from using CPU resources," added the firm.

"Regularly patching and updating software—especially web browsers—can mitigate the impact of cryptocurrency malware and other threats that exploit system vulnerabilities."