Hackers compromise AOL advertising platform to mine cryptocurrency

The IT security researchers at Trend Mirco have discovered that on March 25th, 2018, malicious hackers compromised AOL’s advertising platform and modified its script to mine Monero cryptocurrency. The researchers also found MSN’s web portal’s Japanese domain was also infected by a similar script to mine Monero coins from the computing power of site’s visitors.

More: Hackers Hide Monero Cryptominer in Scarlett Johansson’s Picture

According to Trend Micro’s analysis, the compromised ads were found creating a large number of web miners. What is noteworthy is that in the case of MSN, its homepage was infected with the mining script which happens to be the default page of Microsoft’s browser and the page that Outlook (Hotmail and Live) users are redirected to once they log out from their account.

Furthermore, researchers identified 500 other websites infected with the same CoinHive cryptocurrency mining script used on AOL advertising platform. 

Hackers used unsecured AWS buckets for their operation

Upon further analysis, researchers discovered that hackers were running their campaign by hosting malicious content on unsecured Amazon Web Service (AWS) S3 buckets left open for public access apparently by their administrators. 

Hackers compromise AOL advertising platform to mine Monero
Detection for unique web miners rising steeply from March 24 to 25 (Credit: Trend Micro)

Unsecured AWS buckets have been creating problems for the last couple of years, however, when it comes to cryptocurrency mininTesla cloud server and LA Times’ website had their AWS buckets compromised to mine Monero cryptocurrency.

As for web miners on AOL and MSN, the Trend Micro researchers believe that a significant number is users may have been impacted. However, the good news is that AOL was notified about the incident whose team was quick to remove the malicious script by March 27th, 2018.

More: Monero Mining Malware Infecting Android Smart TVs & Smartphones

“The campaign injected malicious script at the end of a JavaScript library on the unsecured S3 buckets. Website administrators can easily check for any script injected with code similar to the one shown below or the mining domains we listed in the Indicators of Compromise section to verify if their sites have been modified,” wrote Trend Micro.

We notified the AOL team about our findings. AOL removed the injected miner and resolved the issue by March 27.

Not for the first time

This is not the first time when a topnotch website had its advertising platform compromised. In January this year hackers used ad slots on YouTube to mine Monero cryptocurrency through CoinHive javascript code.

“Organizations should secure and always properly configure their servers to prevent these types of threats. To further protect themselves, they should choose the right cloud security solution based on their specific needs,” concluded Trend Micro.

How to block cryptocurrency mining in your web browser

There are several ways of blocking cryptocurrency minors from using your browser and CPU power including minerBlock and No Coin extensions on Chrome web store developed for the sole purpose of blocking cryptocurrency mining and cryptojacking. Both extensions are open source and open to the public, users can check out the source code on Githuhere and here.

Additionally, you can switch to Opera browser since its desktop and mobile versions for Android and iOS prevent websites from hijacking your browser to mine cryptocurrency.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.