I was reading this article on Ars about ad networks using malware techniques to mine cryptocurrency and realized, holy crap I had noticed something similar in my OpenDNS Umbrella logs.

To take a quick step back, OpenDNS Umbrella is a DNS monitoring service for among other things blocking DNS calls out to malicious domains.

To summarize the article, it speaks to how a growing number of websites are turning to cryptocurrency mining via your web browser to compensate for the wide spread use of ad-blockers.

In this particular scenario the article discusses the use of domain-name algorithms for creating a nearly limitless number of domain names. This is a technique first introduced by botnets. And now websites are using it to attempt to bypass ad-blockers.

For example, something like:

zylokfmgrtzv.com

The pages located at these domains then load Javascript initiating cryptocurrency mining via your web browser. So if you visit a particular site and you computer fans start whirring away and things start to slow down, this particular scenario may be happening to you.

Back to what I was noticing in my own logs.

These particular domains were getting blocked by OpenDNS:

odfoe.wltoyqyynkbcc.com

kvcctz.wltoyqyynkbcc.com

qmxuvo.wltoyqyynkbcc.com

One of the things you can do if you don’t want to fire up your own web proxy server like Burpsuite in order to inspect all the traffic is to use a site like urlscan.io to do the work for you. That way you don’t have to fire up a proxy server or browse to a potentially malicious site yourself.

Once you put kvcctz.wltoyqyynkbcc.com into urlscan.io, you’ll notice that various sites seemed to be associated with this domain. In particular, www.dailystar.co.uk appears to be associated in some manner.

Now if you do an nslookup of kvcctz.wltoyqyynkbcc.com you’ll get back this information:

kvcctz.wltoyqyynkbcc.com canonical name = d1xv26op0mrpvc.cloudfront.net.

Name: d1xv26op0mrpvc.cloudfront.net

Address: 54.239.168.136

Name: d1xv26op0mrpvc.cloudfront.net

Address: 54.239.168.166

Name: d1xv26op0mrpvc.cloudfront.net

Address: 54.239.168.60

Name: d1xv26op0mrpvc.cloudfront.net

Address: 54.239.168.91

Name: d1xv26op0mrpvc.cloudfront.net

Address: 54.239.168.34

Name: d1xv26op0mrpvc.cloudfront.net

Address: 54.239.168.103

Name: d1xv26op0mrpvc.cloudfront.net

Address: 54.239.168.85

Name: d1xv26op0mrpvc.cloudfront.net

Address: 54.239.168.59

Head over to urlscan.io and punch in www.dailystar.co.uk and have a look at the HTTP tab after you have run a scan for the site. If you perform a browser search for cloudfront.net, you will notice Javascript calls to d1z2jf7jlzjs58.cloudfront.net, d2q1qtsl33ql2r.cloudfront.net and d1z2jf7jlzjs58.cloudfront.net for example.

While the domains aren’t exactly the same as the information returned as part of the dns lookup for kvcctz.wltoyqyynkbcc.com, the information returned by urlscan.io is strikingly similar.

While it could be a complete coincidence in regards to these seemingly randomly generated domain names, it could also be a rather disturbing trend by websites to use botnet techniques in an attempt to fight ad-blockers or to mine cryptocurrency with or without the users knowledge.

The funny thing that the article noted was that after all the obfuscation attempts, a call to coinhive was eventually made.

Coinhive has been a endpoint for much of the cryptocurrency mining attempts at various websites so if you haven’t, it would be a good idea to simply block it.

Fascinating stuff!