The security firm Trend Micro said that it had found a tripling of detection of the Coinhive Web miner. Ads found on high-traffic sites not only used Coinhive but also connected to a private pool, it said.
"Attackers abused Google’s DoubleClick, which develops and provides Internet ad serving services, for traffic distribution," researchers Chaoying Liu and Joseph Chen said.
"Data from the Trend Micro Smart Protection Network shows affected countries include Japan, France, Taiwan, Italy, and Spain."
"An analysis of the malvertisement-riddled pages revealed two different Web miner scripts embedded and a script that displays the advertisement from DoubleClick," Chiu and Chen said.
"The affected webpage will show the legitimate advertisement while the two Web miners covertly perform their task. We speculate that the attackers’ use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices."
The presence of cryptocurrency mining scripts on websites is quite common these days. In September last year, the Showtime site was found to be hosting scripts which were mining for the monero cryptocurrency.
The same month, Trend Micro reported that it had found a tech support scam was being used to implant a cryptocurrency miner when users visited infected websites using Chrome or Internet Explorer.
And earlier this month, it was found that unpatched Oracle WebLogic servers had been infected with cryptocurrency-mining malware, causing a degradation in performance.