Attackers Distribute Crypto-Currency Miners Via DoubleClick Ad Network

Ads containing Coinhive's miner were distributed via Google's ad network to users in several countries, Trend Micro says.

DoubleClick Crypto-Currency Mining Malware

Researchers at Trend Micro this week uncovered a malware campaign that used Google's DoubleClick ad network to distribute crypto-currency miners on systems belonging to Internet users in France, Spain, Italy, Japan and other countries. 

Trend Micro noticed the campaign on Jan. 24 and informed Google about the problem. Traffic related to the campaign has fallen since then, the security vendor said in a Jan. 26 advisory

In a statement emailed to eWEEK, a Google spokesman acknowledged the issue and said the company had already addressed the problem. "Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively," the spokesman said. 

"We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms," he added. 

Crypto-currency mining is a process where a large network of computers working collectively is used to perform complex calculations required to generate new units of crypto-currencies such as Bitcoin, or to verify new transactions in a blockchain. People who knowingly share their machine's resources for crypto-currency mining receive a monetary reward for each transaction. 

Because it is so computationally intensive, crypto-currency mining especially in currencies like Bitcoin, typically requires specialized hardware with plenty of processing power. Running a mining tool on a regular computer can heavily consume processor resources and severely degrade performance even to the point blocking its owner from using the machine productively. 

However, cyber-criminals have recently taken to distributing mining tools, via infected websites and other means to end-user systems. 

Cyber-criminals are linking compromised machines into large crypto-currency mining botnets cyber-security software company Kaspersky Lab noted in a report last year.  A single cryptocurrency mining botnet can net criminals at least $30,000 per month, the vendor had estimated at the time. 

In the campaign that Trend Micro uncovered this week, cyber-criminals found a way to abuse Google's DoubleClick ad network to distribute mining malware. DoubleClick basically serves ads on behalf of clients to Internet users around the world. 

In this particular instance, the authors of the malware campaign used DoubleClick to distribute advertisements containing Coinhive, a mining tool for the Monaro crypto-currency, to users in multiple countries. Also embedded in the malicious advertisements was a separate miner that connected to what Trend Micro described as a private pool. 

According to Trend Micro, it found several high-traffic websites displaying ads containing the two mining tools. A script in the malicious advertisements caused them to display normally on Web pages hosting the ads while the miners ran in the background. 

"We speculate that the attackers’ use of these advertisements on legitimate websites is a ploy to target a larger number of users," the security vendor said in its alert. The mining tools were configured to consume as much as 80 percent of an infected computer's CPU resources for mining. 

On Jan. 24th Trend Micro says it detected a nearly 285 percent increase in traffic containing Coinhive miners as a result of the malvertising campaign via DoubleClick. Traffic containing the miners has decreased since then, the company noted.

Jaikumar Vijayan

Jaikumar Vijayan

Vijayan is an award-winning independent journalist and tech content creation specialist covering data security and privacy, business intelligence, big data and data analytics.