Ad Blocker

An advertising network is hiding in-browser cryptocurrency miners (cryptojacking scripts) in the ads it serves on customer sites, and has been doing so since December 2017, according to revelations made over the weekend by the Qihoo 360 Netlab team.

Further, this malicious advertising network has also found an efficient trick at avoiding users with ad blockers, a trick it use to make sure both its ads and the cryptojacker reach all intended targets.

Ad network borrows well-known malware trick

The advertising network —whose identity researchers did not reveal but only referred to as DGA.popad— uses a trick normally utilized by malware families —namely a domain generation algorithm (DGA).

Malware strains —mostly banking trojans— use DGAs to generate unique domain names for each day to which infected hosts connect to receive new commands from the main command and control (C&C) server.

DGAs are highly efficient because only the malware's author know how the DGA algorithm works and they register domains in advance, knowing the malware will connect to it at a point in the future. When security researchers break DGA algorithms, usually this helps authorities take over the malware's infrastructure.

How the ad network uses DGAs

DGA.popad, too, uses a DGA to generate new domains at regular intervals. The purpose of these domains are as backup in case users who view the network's ads are using an ad blocker. Below is what Netlab researchers spotted in the ad network's behavior.

Users don't use an ad blocker:
- Users get ads from the ad network's main domains
- Ad network also deploys a copy of the Coinhive in-browser Monero miner

Users use an ad blocker:
- Users blocks ads from ad network's main domain
- Ad network loads ads from an alternative domain generated by the DGA
- Ad network also deploys a copy of the Coinhive in-browser Monero miner

The DGA is extremely efficient in this case because by the time ad blockers detect the new domains from which ads are servers, the ad network DGA generates new domains to use. This means the ad network has a fresh supply of domains, not yet blacklisted on ad blocker lists.

DGA.popad is a massive operation

According to Netlab researchers, some of the random domains generated by the ad network's DGA get so much traffic that one of them entered the Alexa Top 2,000.

Most of the ads served by this ad network are found on sites that offer free downloads or adult content. This is no surprise as Netlab previously discovered that almost half of all cryptojacking scripts (in-browser Monero miners) are deployed on porn sites.

DGA.popad deploying anti-ad-blocker technologies is no surprise either. Recent research shows that website owners have had enough of users with ad blockers and the financial losses they case. According to recent research, almost 9% of the Alexa Top 5,000 sites deploy anti-adblock scripts that prevent the users' access to content unless they disable their ad blockers.

DGA.popad may be the first ad network to use a DGA to bypass ad blockers, but it's not the first criminal operation that found a way around ad blockers. A malvertising operation known as RoughTed has been known to bypass ad blockers via various techniques since early 2017.

Related Articles:

Make-A-Wish Website Compromised for Cryptojacking Operation

New KingMiner Threat Shows Cryptominer Evolution

3ve Ad Fraud Botnet with Billions of Daily Ad Requests Shut Down

Fake Apps in Google Play Get over Half a Million Installs

Microsoft Turns Off Ads in Windows 10 Mail App After Outrage