An advertising network is hiding in-browser cryptocurrency miners (cryptojacking scripts) in the ads it serves on customer sites, and has been doing so since December 2017, according to revelations made over the weekend by the Qihoo 360 Netlab team.
Further, this malicious advertising network has also found an efficient trick at avoiding users with ad blockers, a trick it use to make sure both its ads and the cryptojacker reach all intended targets.
Malware strains —mostly banking trojans— use DGAs to generate unique domain names for each day to which infected hosts connect to receive new commands from the main command and control (C&C) server.
DGAs are highly efficient because only the malware's author know how the DGA algorithm works and they register domains in advance, knowing the malware will connect to it at a point in the future. When security researchers break DGA algorithms, usually this helps authorities take over the malware's infrastructure.
DGA.popad, too, uses a DGA to generate new domains at regular intervals. The purpose of these domains are as backup in case users who view the network's ads are using an ad blocker. Below is what Netlab researchers spotted in the ad network's behavior.
The DGA is extremely efficient in this case because by the time ad blockers detect the new domains from which ads are servers, the ad network DGA generates new domains to use. This means the ad network has a fresh supply of domains, not yet blacklisted on ad blocker lists.
According to Netlab researchers, some of the random domains generated by the ad network's DGA get so much traffic that one of them entered the Alexa Top 2,000.
Most of the ads served by this ad network are found on sites that offer free downloads or adult content. This is no surprise as Netlab previously discovered that almost half of all cryptojacking scripts (in-browser Monero miners) are deployed on porn sites.
DGA.popad deploying anti-ad-blocker technologies is no surprise either. Recent research shows that website owners have had enough of users with ad blockers and the financial losses they case. According to recent research, almost 9% of the Alexa Top 5,000 sites deploy anti-adblock scripts that prevent the users' access to content unless they disable their ad blockers.
DGA.popad may be the first ad network to use a DGA to bypass ad blockers, but it's not the first criminal operation that found a way around ad blockers. A malvertising operation known as RoughTed has been known to bypass ad blockers via various techniques since early 2017.