YouTube was recently caught
displaying ads that covertly leach off visitors' CPUs and
electricity to generate digital currency on behalf of anonymous
attackers, it was widely reported.
Word of the abusive ads
started no later than Tuesday, as people took to social media
sites tocomplain their antivirus
programs were detecting cryptocurrency mining codewhen
they visited YouTube. The warnings came even when people changed
the browser they were using, and the warnings seemed to be limited
to times when users were on YouTube.
Great now my browser
everytime I watch youtube... my anti virus always blocking
coinhive because malware . Idk much about it but this is getting
annoying and I need a solution please T n T
Por lo visto@YouTubees
muy gracioso y no le bastaba con bajarnos la audiencia, ahora
van y nos meten el JavaScript de Coinhive para utilizar nuestros
dispositivos para minar Monero! De verdad,@Google!
Que leeches estáis haciendo con YouTube??pic.twitter.com/NzMUMlArJs
On Friday, researchers with
antivirus provider Trend Micro said the ads helped drive a more
than three-fold spike in Web miner detections. They said the
attackers behind the ads were abusing Google's DoubleClick ad
platform to display them to YouTube visitors in select countries,
including Japan, France, Taiwan, Italy, and Spain.
The ads contain JavaScript
that mines the digital coin known as Monero. In nine out of 10
cases, the ads will use publicly available JavaScript provided by
Coinhive, a cryptocurrency-mining service that's controversial
because it allows subscribers to profit by surreptitiously using
the computers of other people. The remaining 10 percent of the
time, the YouTube ads use private mining JavaScript that saves the
attackers the 30 percent cut Coinhive takes. Both scripts are
programmed to consume 80 percent of a visitor's CPU, leaving just
barely enough resources for it to function.
"YouTube was likely targeted
because users are typically on the site for an extended period of
time," independent security researcher Troy Mursch told Ars. "This
is a prime target for cryptojacking malware, because the longer
the users are mining for cryptocurrency the more money is made."
Mursch said acampaign from Septemberthat
used the Showtime website to deliver cryptocurrency-mining ads is
another example of attackers targeting a video site.
To add insult to injury, the
malicious JavaScript in at least some cases was accompanied by
graphics in displayed ads for fake AV programs, which scam people
out of money and often install malware when they are run.
The above ad was posted on Tuesday.
Like the ads analyzed by Trend Micro and posted on social media,
it mined Monero coins on behalf of someone with the Coinhive site
key of "h7axC8ytzLJhIxxvIHMeC0Iw0SPoDwCK." It's not possible to
know how many coins the user has generated so far. Trend Micro
said the campaign started January 18. It's not clear if Google has
managed to start blocking the ads yet. Representatives weren't
immediately available to comment for this post.
As theproblem of Web-based
cryptomining has surgedto
almost epidemic proportions, a variety of AV programs have started
warning of cryptocurrency-mining scripts hosted on websites and
giving users the option of blocking the activity. While drive-by
cryptocurrency mining is an abuse that drains visitors' electricity
and computing resources, there's no indication it installs
ransomware or other types of malware, as long as people don't click
on malicious downloads.
DAN GOODINDan
is the Security Editor at Ars Technica, which he joined in 2012
after working for The Register, the Associated Press, Bloomberg
News, and other publications.EMAILdan.goodin@arstechnica.com//TWITTER@dangoodin001