Researchers discovered yet another cryptojacking attack; this time, it's being run by an online ad network that's...
found a way around popular ad blockers.
Researchers for Chinese cybersecurity vendor Qihoo 360's Netlab team found an unnamed ad network was running Coinhive cryptomining software in the browsers of unsuspecting users who visit the advertisers' websites. The Netlab team said the company is using domain generation algorithms (DGAs) to bypass ad blockers and serve ads to users.
While the researchers did not disclose the name of the ad network company, they said the ad network used domains they referred to as "DGA.popad," including "serve.popads.net." The domain popads.net belongs to an ad network called PopAds, which claims on its website to be "simply the best paying advertising network specialized in popunders on the internet." Popunders are browser windows that are created and then hidden behind the window of the website a user had chosen to visit.
SearchSecurity contacted PopAds for comment regarding the Qihoo 360 report. A PopAds representative responded via email, saying, "We're trying to make sense of the situation." However, the representative did not address questions regarding PopAds' alleged involvement in the cryptojacking attacks.
Update: Another PopAds representative emailed SearchSecurity with a statement. "They do look like our domains," wrote Tomasz Klekot, who is listed as the registrant and technical contact for PopAds.net. "I guess what happened is that we indeed had coinhive script on homepages of these domains.Yet, no real advertising traffic was ever accessing it. This was basically to monetize a bit of bots that try to scan our domains. I have already removed that as I noticed it causes issues with antivirus blacklisting."
Qihoo 360 researchers said the ad network in question has been using DGAs to bypass ad blockers as recently as mid-2017 and has been conducting cryptojacking attacks since at least December of last year. "As these DGA.popad domain names are not fixed and changed daily, blocking them become [sic] more difficult," the Netlab team wrote.
DGAs have been featured in recent malware variants, including Locky ransomware and the Dridex banking Trojan. Malware authors use DGAs to generate new domains that allow infected devices or systems to communicate with the malware's command-and-control infrastructure.
The Netlab team reported some of the domains used by the ad network received heavy web traffic, with at least one domain cracking Alexa's Top 2,000 ranking. According to the report, many of the sites are for adult content or software downloads. The researchers said it's difficult to measure the impact of the cryptojacking attacks because they can't track the mining profits and couldn't determine how much of the traffic passing through the DGA.popad domains will be used for mining.
Cryptojacking on the rise
Coinhive released a new API that requires users to grant permission to the application before any cryptomining activity takes place. However, it appears the new opt-in API is hardly used at all. Antimalware vendor Malwarebytes, which began blocking Coinhive last fall, published new telemetry data Monday that shows, over the course of one month, the opt-in API was used 40,000 times per day, while the older API, which does not require user permission, was used 3 million times a day.
"While malicious cryptomining appears to be far less dangerous to the user than ransomware, its effects should not be undermined," Jérôme Segura, lead malware intelligence analyst at Malwarebytes, wrote in the report. "Indeed, unmanaged miners could seriously disrupt business or infrastructure critical processes by overloading systems to the point where they become unresponsive and shut down."