YouTube Hosted Malicious Crypto-Mining Ads

Google has said it is developing new techniques to detect malicious crypto-mining adverts after YouTube was caught displaying them to unsuspecting users. Ad-based miners are a new form of malware that generate revenue while slowing down the user’s device.

The ‘malvertizing’ campaign was detailed by security firm Trend Micro in a blog post late last week. It was large enough to create a temporary tripling in the number of active Coinhive miners. Coinhive is a service which provides JavaScript cryptocurrency mining scripts that can run inside web browsers, Digital Journal reported.

Analysis of the surge in traffic revealed it was originating from adverts hosted on Google’s DoubleClick network that were displayed alongside YouTube videos. As unknowing users browsed the site and watched content, the ads silently mined coins of the Monero cryptocurrency for the attackers. It is impossible to determine how many coins the campaign could have mined.

The scripts were configured to use up to 80% of the device’s CPU power, implying the attacker was trying to avoid detection. Because cryptocurrency mining is a performance-intensive operation, the user is likely to notice significant performance slowdowns on their device. The processor throttling prevents the script from consuming all the device’s resources, which could mitigate some of the slowdowns and prevent the user from noticing.

Ads that employ cryptocurrency mining scripts to create revenue are a new form of attack that first gained attention last year. Streaming services such as YouTube are ideal targets because users tend to spend a long time on each page. While watching a YouTube video, an ad could be displayed uninterrupted for multiple minutes at a time, maximizing coin production.

In a statement last week, Google confirmed the breach of YouTube’s ad policies and said it is taking steps to prevent future similar campaigns. The company claimed it removed the ads “in less than two hours,” although it has not clarified the timeline of events.

There are steps users can take to prevent the activity, such as installing a browser security extension. This can help to minimize the attack’s impact and prevent websites from consuming excessive resources.