Cryptocurrency miners have taken advantage of a malvertising campaign to distribute Coinhive and another web miner according to security vendor Trend Micro. The tools were being used to mine cryptocurrency Monero. The attackers were able to take advantage of Google’s DoubleClick ad platform to do this distribution for them. As a result they appeared on a number of high traffic sites including some YouTube pages.
This is not the first time that DoubleClick has been used to distribute malvertising. Back in 2014, Malwarebytes reported that sites such as Last.fm, The Times of Israel and The Jerusalem Post had been affected by another malvertising campaign. That campaign saw users being infected by the Nuclear Exploit Kit.
Trend Micro says that its: “Smart Protection Network shows affected countries include Japan, France, Taiwan, Italy, and Spain. We have already disclosed our findings to Google.”
In a statement from Google, the company said: “We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”
Google also has its own malvertising team. Why it didn’t detect this attack before Trend Micro will raise questions.
What did the cryptocurrency mining software do?
There are two different pieces of mining software being used here. 90% of the attacks used the Coinhive software to mine Monero. Interestingly, 10% use a private web miner. Once activated, both pieces of software attempted to steal 80% of the CPU capacity on the infected machines.
This should have been noticed by the users as it would have slowed down other applications. It would also have forced the fans to kick in on the machines as the CPUs got hotter and hotter. Excessive heat can cause machine and device failure. In December, Kaspersky reported on the Loapi Trojan for Android devices. This reportedly caused devices to overheat and even melt.
Is cryptocurrency mining an alternative to ads on webpages?
This is a route that several websites are exploring. Ads are the primary way the Internet monetises itself. For many sites there is no alternative option. However, there is an increasing number of sites interested in experimenting with cryptocurrency mining. What they want is to use your CPU to do mining while you are connected to their site.
The problem is that none of the sites that ET has looked at who are trying this, bother to ask to visitor if they mind. It is an approach that leads visitors to believe it is dishonest and unreasonable. Ironically, many of those visitors would probably like to read articles without pop-up ads being served to their computers.
The challenge is how to make this work with the agreement of the visitors. Is a simply request to use their CPU while on the site good enough? What if the users visits several sites using Coinhive? Is it possible to easily stop and start the mining process and know who is using the CPU at any point in time?
What does this mean?
DoubleClick and the other large ad platforms are key targets for those using malvertising. They enable their code to get past a lot of security software and directly onto the machines of millions of users. There is a lot of money being invested in this. Last week Confiant exposed the Zirconium malvertising campaign which consisted of over 28 fake ad agencies, an ad platform, a payment processor and a stake in a cryptocurrency exchange. That campaign served up 1 billion ad impressions in 2017 which demonstrates the scale of this problem.
One possible solution that has been promoted is blockchain. However, there are a number of technical and other hurdles to be overcome before this can be considered realistic.
If we want a free Internet then we have to accept advertising and all that is good and bad. The key is to be careful on what you click on and the keep device security solutions up to date.