Ad Network Bypasses Ad Blockers to Mine Cryptocurrency in Browser
1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 4.00 out of 5)

Ad Network Bypasses Ad Blockers to Mine Cryptocurrency in Browser

Ad Network Used DGA Algorithm to fool Ad Blockers

An Advertising Network was caught hiding in-browser cryptocurrency miners (cryptojacking scripts) in the ads it’s serving. This has been going on since last December (’17). It was discovered by the Netlab team at Qihoo 360.

What’s more is that this advertising network was using a clever trick to avoid users with ad blockers, which ensured that both its ads and their cryptojacker made it to targets that would be susceptible. Qihoo 360 didn’t disclosed the name of the company who’s malvertising was cryptojacking internet users.

Teaching a New Dog an Old Trick

The ad network in question made use of a tactic that is a favorite trick of a number of malware families: a domain generation algorithm (DGA). This technique is typically used by banking trojans, and it involves generating a unique domain name every day so that infected hosts can connect with it to get new commands. This is called command & control server.

What makes a DGA so effective is that only the attacker knows how the chosen DGA functions. The randomly generated domains are registered in advance with the knowledge that the malware will make contact in the future. Typically, it isn’t until a researcher cracks the algorithm and someone can take over the malware’s infrastructure that it’s finally defeated.

How the Ad Network used DGAs

This Ad Network used a DGA to randomly generate new domains at regular intervals. These domains were created as a backup in the event that internet users are using an ad blocker. Here’s what Qihoo 360 found out about the advertising network’s behavior:

Users don’t use an ad blocker:
– Users get ads from the ad network’s main domains
– Ad network also deploys a copy of the Coinhive in-browser Monero miner

Users use an ad blocker:
– Users blocks ads from ad network’s main domain
– Ad network loads ads from an alternative domain generated by the DGA
– Ad network also deploys a copy of the Coinhive in-browser Monero miner

Security researchers are engaged in a game of cat and mouse. The DGA helps the attackers stay a step ahead because by the time the ad blockers detect the domain that’s malvertising, a new domain is generated for use. In essence the Ad Network has a healthy supply of domains that aren’t blacklisted by web filters or ad blockers.

This Ad Network runs a massive operation

This Ad Network is so prolific that one of its randomly generated domains is in the Alexa Top 2000. The majority of this network’s ads appear on pages the purport to offer free downloads, or at porn sites. In fact, according to Qihoo, nearly half of all cryptojacking scripts reside on porn sites, which really lends itself to a dirty joke – but my boss reads this blog occasionally and discretion is the better part of valor.

Anyway, this Ad Network’s use of anti-ad-blocking technology is nothing new. Almost 9% of the Alexa 5000 use anti-ad-blocking scripts that block access until the site is white-listed. This ad network isn’t even the first to use a DGA to get by the ad blockers. A group named RoughTed has been using the same methods since early last year.

So remember, the next time you visit that adult site, you might not be the only one… nope. Not going to do it.

1 comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.