Stealthy Crypto-Miners Are Slipping Into Web Ads

A stealthy attack that slips cryptocurrency miners into ads on unsuspecting websites is making the rounds, according to Israeli adtech firm Spotad.

The company has an artificial intelligence (AI) system dubbed Sarah that picked up on several anomalies within advertising code across both desktop and mobile environments—further inspection showed that these seemingly legitimate ads are actually in the business of mining for Monero. Spotad explained that the trojanized ads—which are Java-enabled—attempt to con site visitors into clicking on a pop-up that would initiate the mining process.

Sarah was able to pick up on the situation by registering an odd behavior pattern, such as a lack of click-through action. After contacting the brand, it became clear that this was enabled via third-party malicious injection into otherwise legitimate ads.

Tomer Horev, chief strategy officer at Spotad and the lead on Sarah’s findings, told CoinDesk that it was just a matter of time before criminals embraced web-based mining.

"I think people identify that as the next gold rush and they will try to do everything that they can, in order to produce this kind of money,” he said. "Monero has script that can perform well on CPUs that actually reside in any desktop, laptop, and mobile device…This type of cryptocurrency has value harvesting through low-end devices.”

The campaign dovetails with a rising tide of web-based mining—and its abuse. Symantec recently determined that there has been a 34% increase in the number of mobile apps alone incorporating cryptocurrency mining code. The firm said that the catalyst appears to be the launch of a mining service in September by Coinhive.

“Despite Coinhive’s best intentions, unscrupulous operators quickly latched onto the idea of secret mining in the hope that users will not notice,” Symantec said, citing its non-transparent use on Pirate Bay, as well as potentially malicious planting of it on premium websites like Showtime and the LiveHelpNow widget. “The mining process can start quickly and quietly in the browser without anybody noticing, unless insufficient throttling is used, in which case the CPU load may max out during the users' session, which would be an easy tell-tale for end users to spot.”

To avoid being part of the problem, brands and agencies, as well as ad networks and website owners, should examine their code for malicious injection on a regular basis.

"Leveraging the power and broad reach of the digital advertising ecosystem to distribute malware or unwanted code is an ongoing issue,” said Alex Calic, chief strategist and revenue officer for The Media Trust, via email. “While cryptocurrency mining scripts are not new, their prevalence in the digital environment is definitely on the uptick. Due to the internet's dynamic nature, premium online publishers and reputable ad technology partners continuously monitor ad tags, creative, and landing pages from the user perspective to analyze the code involved in rendering the advertising experience. This proactive step helps identify and block this type of anomalous activity as it enters the digital ecosystem."

What’s Hot on Infosecurity Magazine?