Online advertising network accused of serving crypto-jacking scripts on users' PCs
Advertising network uses domain generation algorithm tools to evade ad-blocking technology
Researchers at Qihoo 360 Netlab have warned that an online advertising network has been serving crypto-jacking scripts with adverts, and deployed tools to evade ad blocking technology.
The crypto-jacking scripts are deployed to exploit users' PCs to mine for Monero cryptocurrency on behalf of the advertising network.
According to Qihoo 360 Netlab, the unnamed network has been sneaking in-browser cryptocurrency miners into advertising code since at least December last year.
While the researchers have decided not to name the advertising network, they have branded its crypto-currency mining code "DGA.popad" because the company uses a domain generation algorithm (DGA) to bypass ad blockers
"We recently noticed that one of the advertising network providers started to perform in-browser Coinhive cryptojacking when users visit websites that use this provider's ad network service," wrote the researchers in a blog posting warning of the new tactic.
"As early as mid 2017, this ad network provider has been using DGA technology to generate seemingly random domains to bypass adblock to ensure that the ads it serves can reach the end users. The typical domains look like this : [az]{8,14}.(bid|com), we call it DGA.popad."
In other words, the advertising network evades ad blockers by pseudo-randomising the domains from which the adverts are served from.
It is not a new technology - DGAs have typically been used by malware writers, particularly in the creation of banking Trojans. The DGA randomly generates new domain names every day, which are registered and used before they can be added to ad-blocking lists.
If users have an ad blocker installed, the ad network's main domain is blocked. But it can get round this by sending adverts to users from alternative domains.
"We know in-browser cryptojacking uses JavaScript from providers, on a web page to mine for cryptocurrencies," continued the researchers.
"There has been some top websites, such as Pirate Bay, being reported to mine cryptocurrency by leveraging end users' computing power when the users visit their webpages
"In this case, these DGA.popad domains were found performing cryptojacking when we were doing an internet-scale web-mining measurement, and monitoring on Alexa top 300,000 domains."
The researchers claim that the scale of the campaign being run by the advertising network is so great that one of its randomly generated domains entered the Alexa Top 2,000.
However, users who steer clear of adult web sites, according to the researchers, are much less likely to fall victim to the ad network's cryptojacking antics.