Google's DoubleClick was used to mine Monero

Hackers Exploit Google’s DoubleClick Ad Network to Mine Monero

Google’s DoubleClick ad network, which develops and provides internet ad services for distribution, was recently hijacked to mine Monero (XMR) on high-traffic websites. According to cybersecurity firm TrendMicro, Google’s network was using JavaScript created by Coinhive. It was also using a separate web miner, that connects to a private pool.

Per the cybersecurity firm, affected countries include Japan, France, Taiwan, Italy, and Spain. The problem was detected as Trend Micro noticed a 285% rise in the number of Coinhive miners, affecting five different domains. Upon close examination, researchers found the traffic was coming from DoubleClick’s advertisements.

Affected web pages would show the advertisement as usual, but the embedded Monero miners would run in the background. TrendMicro suspects the attackers used these ads in order to affect a large number of users, instead of just using compromised machines. DoubleClick was exploited from January 18, to January 24. Then, cryptocurrency mining-related traffic started to decline.

The compromised ads contained a JavaScript code that generated a random variable number between one and 100. When the variable was above 10, it would use 80% of users’ CPU power to mine Monero using Coinhive’s script. This occurs 90% of the times. When it didn’t, a private web miner launched, and again used 80% of the user’s CPU resources to mine the privacy-centric cryptocurrency.

The firm’s report notes that the private miner was used to bypass fees. Coinhive charges a 30% fee when its miner is used. The report reads:

“After de-obfuscating the private web miner called mqoj_1.js, there will be a JavaScript code that is still based on Coinhive. The modified web miner will use a different mining pool at wss[:]//ws[.]l33tsite[.]info[:]8443. This is done to avoid Coinhive’s 30% commission fee.

Monero mining attacks can be avoided

It looks like no platform is safe from the ongoing cryptojacking trend. As reported by Core Media, even YouTube saw its ads run cryptocurrency mining code at one point. Facebook messenger was previously infected with a mining botnet that affected its users.

This doesn’t mean users can’t defend themselves. Most anti-malware programs already block cryptocurrency-mining scripts. Browsers like Opera and Brave have built-in tools that prevent code from using your CPU to mine Monero.