New 'Malvertising' Threat Hijacks Browsers to Mine Cryptocurrencies
A blog post on September 14, 2017, by ESET malware researcher Matthieu Faou revealed that an actor, or set of actors, has been using “malvertising” to harness the computing power of unsuspecting visitors to certain websites for the purpose of mining altcoins.
The term “malvertising” refers to the practice of delivering malicious code to a website via an online ad network without the victim actually downloading anything to the affected device. Advertising network operators are unaware of the malicious content being sent to websites on the network. The content contains code that can adversely impact the browsing experiences of these sites’ users and potentially even put their privacy at risk.
In this particular attack, of which victims seem to be concentrated in Russia, Ukraine, and to a lesser extent Belarus, Kazakhstan, and Moldova, the malvertising hijacks the victim’s browser to mine altcoins while the victim is browsing the affected web page. Once the victim navigates away, the mining stops because no malware was actually downloaded. This is noteworthy because downloadable malware is the preferred mechanism by which cybercriminals use the computing power of others to mine for themselves.
While certain cryptocurrencies like bitcoin now require specialized hardware to mine them effectively, Feathercoin and Litecoin, two of the cryptocurrencies sought by the perpetrator(s) of this attack, are designed to be minable via regular CPUs. Faou’s post revealed that all the Feathercoin malvertising scripts analyzed by the ESET team contained a single wallet address, suggesting a single perpetrator or group of perpetrators. The other cryptocurrency mined in these attacks, Monero, is among the most anonymous of cryptocurrencies, and thus the team could not ascertain whether all the Monero mined through these attacks was sent to a single wallet.
These malvertisements appeared primarily on video streaming and gaming sites, where users could be expected to spend longer-than-average periods of time on a single page viewing data-heavy content that tends to temporarily impact processing speed. This allows for more mining time and reduces the possibility that users notice their machines running slowly as a result of the mining. Faou also posits that the relatively narrow geographical distribution of victims is most likely a consequence of “the language of the websites in which the scripts are injected.”
Attacks harnessing victims’ computing power for mining purposes are not without precedent. As ETHNews reported less than two months ago, a security breach at San Francisco State University saw a number of malware files, including bitcoin mining software, end up on the school’s servers. Bryan Seely, an ethical hacker who originally notified SFSU of the vulnerability, told ETHNews that while it’s unclear whether all the machines on the network (including students’ personal devices) were affected by the hack, the school’s servers alone were powerful enough to run a substantial mining operation.
Additionally, in 2015, the New Jersey Division of Consumer Affairs settled with a team of MIT students who had developed a software code called Tidbit, which enabled websites to embed code that would conscript victims’ computers to mine bitcoin on the websites’ behalf whenever victims visited a page featuring the code. Though the Tidbit team’s intent was not considered to be malicious, they nonetheless agreed to a $25,000 settlement, which was to be vacated after two years if they refrained from illegally accessing computers in New Jersey during that period.
Finally, as ETHNews reported earlier this week, the Russian cybersecurity firm Kaspersky announced that, between January and August of this year, its products protected 1.65 million users from malicious mining software. The company also claimed to have discovered one culprit botnet that was responsible for mining cryptocurrency to the tune of over $30,000 each month.