Cryptocurrency Malvertising Campaign Hijacks Users’ Browsers

Oct 1st, 2017 | By | Category: Ad Operations

Another day, another malvertising attack. Cybercriminals are using malvertising to push hard-coded snippets of JavaScript code to mine for cryptocurrencies – right within an unsuspecting user’s web browser. Distribution is being expanded to file-sharing websites and unsuspecting downloaders are getting infected.  

The attack is particularly clever in that the cryptocurrency mining is done directly within the web browser when the victim browses to certain booby-trapped websites. Unlike similar attacks, there is no need to use any exploits or malware to infect the computer. Instead, a victim surfing the web with a browser with JavaScript activated will essentially be robbed of processing power to generate digital currencies. 

The attackers are mining for three types of alternative cryptocurrencies —  Monero, Litecoin and Feathercoin —  that were inspired by the more popular Bitcoin.   

Using malvertising to mine for cryptocurrencies can be incredibly profitable for cyberattackers.  For example, a single Monero currently trades for $96 while Litecoin prices on public exchanges are listed at $53.

In a separate operation run by a different set of attackers, another campaign mining for ZCash (currently trading at $177) did not use malicious ads but instead hosted the JavaScript mining code on the rigged site.

The JavaScript code snippets used to power the browser-based mining operation was distributed via malvertising that involved buying traffic from an ad network and distributing malicious JavaScript instead of a traditional advertisement. 

“In this particular case, we are not sure if the injection of the script was intended or if listat[.]biz was compromised. However, listat[.]biz is really suspicious as it seems to mimic LiveInternet counter (LI stat), which is a legitimate web counter. Moreover, many suspicious domains have been registered with the same email address, including lmodr[.]biz, which is also present in the malvertising chain,” according to ESET researcher Matthieu Faou.

Thoughtful in execution, the malicious rigged websites were all serving video streaming content or were in-browser gaming sites.  This allowed the attackers to stay under-the-radar because computer users tend to spend more times on these types of websites.  In addition, because video and gaming sites are expected to have a higher CPU loads, the power consumption of they cryptocurrency mining scripts would be difficult to detect.
 

Screenshot shows CPU usage while the cryptocurrency mining happens within the browser. Image source: ESET

The user never suspects malicious activity because the maliciously rigged sites are serving video and gaming content.
Pirate Bay has also been found to be guilty of rigging their own site for cryptocurrency mining in recent weeks. To the astonishment of their users Pirate Bay has been caught running a cryptocurrency miner — for Monero — on select pages. 

The malvertising attacks affect web surfers mostly in Russia and Ukraine but it’s only a matter of time before it spreads globally and puts pressure on ad serving companies and publishers to get ahead of this threat to protect end users.

Like traditional malvertising attacks, the cryptocurrency mining operation uses multiple redirection hops and a JavaScript that calls URLs from multiple domains:

The first three hops just inject the script provided by the next hop: The first domain used in the redirection (skyadsvideo1[.]ru in our example) is not always the same. We also have seen code.moviead55[.]ru. Both have resolved to the same IP addresses, 167.114.238.246 and 167.114.249.120.  According to Whois data for the domain skyad[.]video, whose subdomain code.skyad[.]video also resolved to the same two IP adresses, the domains seem to be related to the SkyAdVideo ad network owner.

Over 60 websites on Google Cache were injected with the same snippet of malicious JavaScript code. 

As the payoff for this attack is high, the attack will probably continue – beyond Russian and Ukrainian sites – to U.S. and Europe.

Get Protected!
The emergence of this new malvertising threat underscores the need for specialized ad security and verification tools to detect and remove malicious scripts from ads served on the web.

GeoEdge has a specific alert for cypto-mining malvertisements and will automatically spot suspicious activity before they damage your brand’s reputation and turn away users. Ask GeoEdge how we can help keep your sites, apps and users safe.   

Tags: , , ,

Leave a Comment




Share


advertisement