A malvertising campaign was observed exploiting Google’s DoubleClick network to deliver silent cryptominers on high-traffic sites.
Trend Micro researchers detected an almost 285% increase in the number of Coinhive miners on January 24 and started seeing an increase in traffic to five malicious domains on January 18, according to a Jan. 26 blog post.
Researchers spotted two different web miner scripts embedded in the pages along with a script that displays the advertisement from DoubleClick. Victims will see a legitimate advertisement while two silent cryptominers run in the background.
“We speculate that the attackers’ use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices,” researchers said in the post.
TrendMicro researchers weren’t the only ones to spot the problem. Independent researcher Diego Betto spotted YouTube serving ads laced with CPU-draining Coinive Monero cyrptominers late last week.
“During normal browsing on YouTube, at some point, the antivirus Avast reported something that was not good.” Betto said in a Jan 25 blog post. “From the Chrome Inspector it appears that one of the ads is infected and tries to load a crypto miner from Coinhive.”
Betto wasn’t the only one to notice the silent cryptominers as others voiced their frustration across Twitter and other social media channels.
“Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively,” a Google spokesperson told SC Media. “We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”
Last year, Crowdstrike researchers spotted several cases in which cryptomining software halted business operations when systems and applications crashed due to the high CPU speeds, a contrast from under the radar CPU cycle leaching attacks seen in earlier instances.
Crowdstrike researchers said hackers had adapted a smash and grab mentality and were looking to obtain more profitability from a high volume of system resources for a short period of time. Researchers expect cybercriminals will look for more ways to weaponize cryptominers for both monetary gains and other malicious attacks.