Cryptocurrency Malvertising Campaign Hijacks Users’ Browsers

Another day, another malvertising attack. Cybercriminals are using malvertising to push hard-coded snippets of JavaScript code to mine for cryptocurrencies – right within an unsuspecting user’s web browser. Distribution is being expanded to file-sharing websites and unsuspecting downloaders are getting infected.

 

Clever Criminals 

The attack is particularly clever in that cryptocurrency mining is done directly within the web browser when the victim browses to certain booby-trapped websites.

Unlike similar attacks, there is no need to use any exploits or malware to infect the computer. Instead, a victim surfing the web with a browser with JavaScript activated will essentially be robbed of processing power to generate digital currencies.

The attackers are mining for three types of alternative cryptocurrencies — Monero, Litecoin and Feathercoin — that were inspired by the more popular Bitcoin.

Using malvertising to mine for cryptocurrencies can be incredibly profitable for cyberattackers. For example, a single Monero currently trades for $96 while Litecoin prices on public exchanges are listed at $53.

 

ZCash 

In a separate operation run by a different set of attackers, another campaign mining for ZCash (currently trading at $177) did not use malicious ads but instead hosted the JavaScript mining code on the rigged site.

The JavaScript code snippets used to power the browser-based mining operation were distributed via malvertising that involved buying traffic from an ad network and distributing malicious JavaScript instead of a traditional advertisement.

 

“In this particular case, we are not sure if the injection of the script was intended or if listat[.]biz was compromised. However, listat[.]biz is really suspicious as it seems to mimic LiveInternet counter (LI stat), which is a legitimate web counter. Moreover, many suspicious domains have been registered with the same email address, including lmodr[.]biz, which is also present in the malvertising chain,” according to ESET researcher Matthieu Faou.

 

Thoughtful in execution, the malicious rigged websites were all serving video streaming content or were in-browser gaming sites. This allowed the attackers to stay under the radar because computer users tend to spend more time on these types of websites. In addition, because video and gaming sites are expected to have higher CPU loads, the power consumption of the cryptocurrency mining scripts would be difficult to detect.

The screenshot shows CPU usage while cryptocurrency mining happens within the browser. Image source: ESET

 

The user never suspects malicious activity because the maliciously rigged sites are serving video and gaming content.

 

Pirate Bay

Pirate Bay has also been found to be guilty of rigging its own site for cryptocurrency mining in recent weeks. To the astonishment of their users, Pirate Bay has been caught running a cryptocurrency miner — for Monero — on select pages.

The malvertising attacks affect web surfers mostly in Russia and Ukraine but it’s only a matter of time before it spreads globally and puts pressure on ad serving companies and publishers to get ahead of this threat to protect end-users.

 

The Break Down 

Like traditional malvertising attacks, the cryptocurrency mining operation uses multiple redirection hops and a JavaScript that calls URLs from multiple domains:

The first three hops just inject the script provided by the next-hop: The first domain used in the redirection (skyadsvideo1[.]ru in our example) is not always the same. We also have seen code.moviead55[.]ru. Both have resolved to the same IP addresses, 167.114.238.246 and 167.114.249.120. According to Whois data for the domain skyad[.]video, whose subdomain code. skyad[.]video also resolved to the same two IP addresses, the domains seem to be related to the SkyAdVideo ad network owner.

Over 60 websites on Google Cache were injected with the same snippet of malicious JavaScript code.

As the payoff for this attack is high, the attack will probably continue – beyond Russian and Ukrainian sites – to U.S. and Europe.

 

Get Protected

The emergence of this new malvertising threat underscores the need for specialized ad security and verification tools to detect and remove malicious scripts from ads served on the web.

GeoEdge has a specific alert for crypto-mining advertisements and will automatically spot suspicious activity before they damage your brand’s reputation and turn away users. Ask GeoEdge how we can help keep your sites, apps and users safe.

Eliana is a marketing strategist with a passion for technology and storytelling. Eliana’s work has been featured in places like Slashdot, the RSA conference, and Facebook’s PyTorch publications. You can find more about Eliana on Linkedin.
NOT ALL MALVERTISING SOLUTIONS ARE CREATED EQUAL

Malvertising, the practice of sprinkling malicious code into legitimate-looking ads is growing more sophisticated. GeoEdge’s holistic ad quality solution has you covered.

TRUSTED BY:

450+ Publishers & Platforms