Security researchers from the Chinese antivirus vendor Qihoo 360 have discovered an advertising network called PopAds, that uses its own platform to mine cryptocurrencies in browsers from internet users without their consent. The network is active since December last year. It uses specific methods to bypass the Adblock ad blocker.
The advertising network normally shows advertisements on websites, however, in this case the network also uses the computers of ignorant website visitors to mine for cryptocurrencies. This is also known as cryptojacking. It’s unclear whether the advertising network secretly adds cryptomining-code to advertisements of its advertisers, or that it uses its own advertisements.
It’s, however, clear that the advertising network utilizes a specific method to bypass the popular ad blocker, AdBlock. The method is called ‘Domain Generation Algorithm’, which can be used to generate loads of random domains. This should make it hard for Adblock to detect the cryptominer. On computers without Adblock, the advertising network will load ads from the domain serve.popads.net. In case Adblock is detected, the code is loaded from a randomly named domain such as e.g.tncexvzu.com. From these domains the cryptocurrency mining scripts are loaded that utilize the website visitor’s computer resources to mine for the cryptocurrency Monero.
Because the domain names change so frequently, it’s hard for Adblock to keep adding the domains to their block list.
So far, the cryptominer script appears to be mainly added to advertisements on porn sites, according to analysis from Qihoo 360.