A malvertising campaign was observed exploiting Google's DoubleClick network to deliver silent cryptominers on high-traffic sites.
Trend Micro researchers detected an almost 285 percent increase in the number of Coinhive miners on 24 January and started seeing an increase in traffic to five malicious domains on 18 January, according to a 26 January blog post.
Researchers spotted two different web miner scripts embedded in the pages along with a script that displays the advertisement from DoubleClick. Victims will see a legitimate advertisement while two silent cryptominers run in the background.
“We speculate that the attackers' use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices,” researchers said in the post.
TrendMicro researchers weren't the only ones to spot the problem. Independent researcher Diego Betto spotted YouTube serving ads laced with CPU-draining Coinhive Monero cryptominers late last week.
“During normal browsing on YouTube, at some point, the antivirus Avast reported something that was not good.” Betto said in a 25 January blog post. “From the Chrome Inspector it appears that one of the ads is infected and tries to load a cryptominer from Coinhive.”
Betto wasn't the only one to notice the silent cryptominers as others voiced their frustration across Twitter and other social media channels.
“Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we've been monitoring actively,” a Google spokesperson told SC Media. “We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”
Last year, Crowdstrike researchers spotted several cases in which cryptomining software halted business operations when systems and applications crashed due to the high CPU speeds, a contrast from under the radar CPU cycle leaching attacks seen in earlier instances.
Crowdstrike researchers said hackers had adapted a smash and grab mentality and were looking to obtain more profitability from a high volume of system resources for a short period of time. Researchers expect cyber-criminals will look for more ways to weaponise cryptominers for both monetary gains and other malicious attacks.