Security vendor ESET reports of a new technique cybercriminals are utilising to generate funds. By purchasing traffic from an advertising network, they’re able to distribute malvertising (malicious ads) that utilise many victims’ computers to mine crptocurrency.
By combining JavaScript and cryptocurrency mining, those perpetrating such attacks are able to operate without actually hacking any machines at all. The adverts selected for the scam are predominately video streaming and in-browser gaming websites. It’s supposed that those using such pages are more likely to remain on the same site for a longer period of time, and thus mining more cryptocurrencies for the criminal ring. It’s also likely these types of pages are chosen because users of the types of sites will expect some increase in CPU activity when streaming a video or playing a game. They will, therefore, be less able to discern their machine performing poorly as a result of the resource drain cryptocurrency mining has on computers. Finally, the chosen sites are also immensely popular. The one which ESET found with the most malicious ad impressions was ranked 907 in Russian, and 233 in Ukraine. Other sites chosen are similarly popular in Eastern Europe.
Since home computer users don’t run the kind of chips required to mine Bitcoin profitably, the cybercriminals responsible are using easier to mine cryptos. Most notable are ZCash, Litecoin, and Monero. These coins require much less computing power than typically associated with large-scale BTC mining operations.
ESET notes that malvertising is usually prohibited by the majority of networks because of how CPU-intensive it is, and the effects it has on the general user experience. At present, it remains unclear whether those networks distributing the ads and games have been compromised, or are themselves usurping their victims’ computing power for their own gain.
ESET also reported a geographical pattern emerging amongst cases involving malvertising, with most examples coming from Eastern Europe — and particularly Russia.
The security company named the particular scripts used as JS/CoinMiner.A. They offer protection to their suite users through the use of potentially unsafe app detection methods. Meanwhile, they recommend those that do not use ESET products use a correctly-configured script or ad blocker. This should stop Javascript miners from running.