MSN cryptojacking

For three days between March 25 and March 27, a malicious actor has poisoned an important advertising network and used its services to deliver a cryptojacking script to multiple websites, including Microsoft's MSN portal.

Trend Micro, the cyber-security firm which spotted the event, says that by planting their in-browser cryptocurrency miner on a high-trafficked site like MSN, crooks managed to double the number of cryptojacking scripts from March 24 to March 25, detections going up by 108%.

Fortunately, the event was contained only to MSN's Japan portal, otherwise, the incident would have been much worse.

Cryptojacking script injected via AOL ad platform

"The malicious script was injected on advertising.aolp.jp, the AOL advertising platform," said Trend Micro.

Crooks leveraged the platform to deliver malicious code inside ad slots that caused users' browsers to load another JavaScript file from the attacker's domain.

This domain contained an in-browser cryptocurrency miner that utilized users' CPU resources to mine the Monero cryptocurrency. Users affected by the incident saw sudden spikes in CPU usage and their PC slowing down while visiting affected sites.

Over 500 sites affected

Experts said they tracked the malicious ads to more than 500 sites, with the most high-profile being the MSN Japan portal.

The malicious ads loaded the cryptojacking script from the domain www[.]jqcdn[.]download, registered a week before the attack.

The script was a version of the legitimate Coinhive in-browser mining service but obfuscated to avoid easy detection. Crooks used a newly registered domain to avoid loading the script off Coinhive's main domain, which is already blacklisted by antivirus software, ad-blocking extensions, and anti-cryptojacking add-ons. Crooks also used a private pool to avoid paying fees to public pools.

MSN is not the only high-profile site affected by the cryptojacking pest. Past victims include YouTube, Starbucks, Showtime, and LA Times.

Related Articles:

Coinhive Raking In Over $250,000 per Month From In-Browser Cryptomining

Massive Coinhive Cryptojacking Campaign Touches Over 200,000 MikroTik Routers

First-Ever Person Sentenced for Malicious Use of Coinhive Library

Sixteen Arrested After Deploying Coinminers Across Internet Cafes in 30 Cities

Cryptojacking Campaign Employs Deleted GitHub Account and Unofficial GitHub CDN