Monday 05 March 2018

Crypto-mining, adblock-avoiding ad network is simply horrible

An ad network called Popad has not just been circumventing user's ad blocking software, but it has also been found to be mining cryptocurrencies through the placing of concealed malware on a user's computer.


According to the blog of Chinese cybersecurity company Netlab 360, this motley bunch of cretins has been operating for quite some time. In the summer of 2017, the company was found to be generating random domain addresses in order to bypass popular adblockers. Popad had been using Domain Generation Algorithms (DGAs), which are programs that automatically register tons of seemingly nonsensical domains in order to keep one step ahead of adblockers which deny specific domain names. It's a simple but often effective way to get around blocking. A GitHub page lists all of these nonsensical ads:,, and so on.

From last December, Popad started to exploit this technology for the additional purpose of mining cryptocurrencies on the client browser. This is, of course, not specific to Popad: many nefarious people and organisations have recently been caught doing this, often through Javascript. Popad's strategy was the same as most others, in that it used the CoinHive miner Trojan. CoinHive comprises of a script, coinhive.min.js, which uses the spare CPU capacity in the user's browser to mine crypto. This is not illegal in and of itself; the Javascript is published to GitHub, and CoinHive is a business which sells itself as a way to monetise user engagement through end user crypto mining. The only difference in the case of Popad was that the mining was for Popad's rather opaque benefit. Indeed, Netlab's testing of Popad's DGA domains saw browser CPU usage hit 100%.

Thankfully, the network was only used by a few low-traffic websites (Not us - Ed) so the masses were perhaps less likely to be exploited in this way. However, Popad's rather easy way of deploying these technologies suggests two things. The first is that pretty much anyone can do it. The second is that, perhaps like Bittorrent, there will be more, er, legitimate ways in the future in which this business model can be exploited. Could you be given Nectar points, for example, by mining them through your computer's CPU, as long as Nectar promises a given CPU usage ceiling below 100%?

Perhaps the most troublesome point to make about this affair was thast some of Popad's dodgy sites received an Alexa rating of 2000.  


Twitter, Facebook
Terms & Conditions, Privacy, Cookies