Crooks are currently deploying this technique on Russian and Ukrainian websites, but expect this trend to spread to other regions of the globe.
Cryptocurrency mining operations are notoriously resource-intensive and tend to slow down a user's computer. To avoid raising suspicion, crooks delivered malicious ads mainly on video streaming and browser-based gaming sites.
Both types of sites use lots of resources, and users wouldn't get suspicious when their computer slowed down while accessing the site. Furthermore, users tend to linger more on browser games and video streaming services, allowing the mining script to do its job and generate profits for the crooks.
Crooks appear to have used only the Monero mining feature. The Litecoin miner configuration was left blank, while the Feathercoin miner was left in its default config, using the same Feathercoin address from this demo page hosted on GitHub.
Based on the number of DNS lookups for domains associated with the campaign mining Monero, ESET says the malvertising domains received as much DNS lookup traffic as Github's Gist service.
The good news is that users can protect themselves against surreptitious JS-based cryptocurrency miners hidden in ad code by using an ad blocker.
The mining operation also stops once users leave the site, and no extra clean-up is needed to remove malware from computers.
Browser-based miners aren't anything new. The Bitp.it service experimented with something like this in 2011, but the service eventually shut down.
In 2015, the New Jersey Attorney General’s office shut down a company called Tidbit that was offering website owners a way to mine cryptocurrency on the computers of site visitors. Authorities argued that this was illegal, on the same level as hacking, because Tidbit or website owners didn't ask for specific permission to carry out such intrusive operations.
Cryptocurrency mining is a lucrative business for malware authors. According to a recent report, at least 1.65 million computers have been infected with cryptocurrency mining malware this year so far.
Security researchers can find a breakdown of the malvertising infection chain, along with indicators of compromise, in ESET reports available here.
Image credits: Pixeden, ESET, Bleeping Computer