Ad Network Bypasses Ad Blockers to Mine Cryptocurrency in Browser
Ad Network Used DGA Algorithm to fool Ad Blockers
An Advertising Network was caught hiding in-browser cryptocurrency miners (cryptojacking scripts) in the ads it’s serving. This has been going on since last December (’17). It was discovered by the Netlab team at Qihoo 360.
What’s more is that this advertising network was using a clever trick to avoid users with ad blockers, which ensured that both its ads and their cryptojacker made it to targets that would be susceptible. Qihoo 360 didn’t disclosed the name of the company who’s malvertising was cryptojacking internet users.
Teaching a New Dog an Old Trick
The ad network in question made use of a tactic that is a favorite trick of a number of malware families: a domain generation algorithm (DGA). This technique is typically used by banking trojans, and it involves generating a unique domain name every day so that infected hosts can connect with it to get new commands. This is called command & control server.
What makes a DGA so effective is that only the attacker knows how the chosen DGA functions. The randomly generated domains are registered in advance with the knowledge that the malware will make contact in the future. Typically, it isn’t until a researcher cracks the algorithm and someone can take over the malware’s infrastructure that it’s finally defeated.
How the Ad Network used DGAs
This Ad Network used a DGA to randomly generate new domains at regular intervals. These domains were created as a backup in the event that internet users are using an ad blocker. Here’s what Qihoo 360 found out about the advertising network’s behavior:
Users don’t use an ad blocker:
– Users get ads from the ad network’s main domains
– Ad network also deploys a copy of the Coinhive in-browser Monero minerUsers use an ad blocker:
– Users blocks ads from ad network’s main domain
– Ad network loads ads from an alternative domain generated by the DGA
– Ad network also deploys a copy of the Coinhive in-browser Monero miner
Security researchers are engaged in a game of cat and mouse. The DGA helps the attackers stay a step ahead because by the time the ad blockers detect the domain that’s malvertising, a new domain is generated for use. In essence the Ad Network has a healthy supply of domains that aren’t blacklisted by web filters or ad blockers.
This Ad Network runs a massive operation
This Ad Network is so prolific that one of its randomly generated domains is in the Alexa Top 2000. The majority of this network’s ads appear on pages the purport to offer free downloads, or at porn sites. In fact, according to Qihoo, nearly half of all cryptojacking scripts reside on porn sites, which really lends itself to a dirty joke – but my boss reads this blog occasionally and discretion is the better part of valor.
Anyway, this Ad Network’s use of anti-ad-blocking technology is nothing new. Almost 9% of the Alexa 5000 use anti-ad-blocking scripts that block access until the site is white-listed. This ad network isn’t even the first to use a DGA to get by the ad blockers. A group named RoughTed has been using the same methods since early last year.
So remember, the next time you visit that adult site, you might not be the only one… nope. Not going to do it.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown