YouTube Ads Targeted By Cryptocurrency Malware

YouTube Ads Targeted By Cryptocurrency Malware

Cryptojacking is a relatively new malware issue that has gradually become a widespread problem. Bad actors are injecting a piece of JavaScript into websites and advertisements that harnesses a victims CPU to mine cryptocurrencies.

The latest network to be targeted by cryptojackers is Google’s advertising service on YouTube. Image Sources: YouTube, Monero

As Ars Technica first reported on Friday, users on social media started complaining earlier this week that YouTube ads were triggering their anti-virus software.

Specifically, the software was recognising a script from a service called CoinHive. The script was originally released as a sort of altruistic idea that would allow sites to make a little extra income by putting a visitor’s CPU processing power to use by mining a cryptocurrency called Monero.

This could be used ethically as long as a site notifies its visitors of what’s happening and doesn’t get so greedy with the CPU usage that it crashes a visitor’s computer.

In the case of YouTube’s ads running the script, they were reportedly using up to 80 per cent of the CPU and neither YouTube nor the user were told what was happening.

From Ars Technica:

On Friday, researchers with antivirus provider Trend Micro said the ads helped drive a more than three-fold spike in Web miner detections. They said the attackers behind the ads were abusing Google’s DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain.

In nine out of 10 cases, the ads will use publicly available JavaScript provided by Coinhive, a cryptocurrency-mining service that’s controversial because it allows subscribers to profit by surreptitiously using other people’s computers.

Trend Micro’s research found that in 10 per cent of the cases a custom script was being used that still mined Monero but didn’t give CoinHive its usual 30 per cent cut of the profits.

Gizmodo reached out to YouTube for comment on Trend Micro’s claims, and a spokesperson acknowledged the problem:

Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively.

We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.

The part of the statement about the ads being blocked in less than two hours doesn’t align with Trend Micro’s assessment that the ad campaign has been a problem for at least a week.

When we asked YouTube about this discrepancy, a spokesperson declined to comment any further. But a source with direct knowledge of YouTube’s handling of the situation told Gizmodo that the two-hour measurement was just being applied to each individual ad run by the hackers, not the ads en masse.

YouTube approves a clean ad submitted by a clean account set up by the hijacker. When the ad goes live, the attackers use various cloaking methods to subvert YouTube’s system and swap the ad with one that includes the malicious script.

A couple hours later, the ad is detected, taken down, and the user who submitted it gets their account deleted. Wash. Rinse. Repeat. To sum this up in the most generous terms, YouTube and Google’s ad network, in general, has an ongoing and ever-evolving problem on its hands.

The thing about all of this is that cryptojacking isn’t that big of a deal. Flagged instances are becoming more frequent, but the harm to your privacy or system is virtually non-existent.

What sucks is that someone out there (in this case the owner of a single CoinHive site key) is using your CPU power and electricity to make money and you don’t get a cut.

You’re unwittingly funding cybercrime while YouTube makes its money from serving you ads. And from a big picture perspective, security flaws are being exposed. Just because the script wasn’t particularly dangerous this time around, doesn’t mean it couldn’t be some nasty ransomware next time.

[Ars Technica]


  • Well then I’m glad I installed an ad blockers specifically for fucking off youtubes new 15 minute bullshit ads a few days ago.

    • I remember getting a one hour “advert” (that I could thankfully skip) that was actually really just a science show thing of sorts. I just wanted to listen to music while cleaning the dishes, not hear about things I never learned about!

      • Don’t worry, I am a Youtuber and I use an ablocker because of how obnoxious Youtube ads can be.

        Unfortunately it’s not an option when watching on console, which is where I do most of my viewing.

    • Some of it is for tracking. Rather than relying on data from the website on what ad you have scene and for how long, they execute a script on your system to feed them that data.
      They can also be used to better integrate that ad into the website and used to try dodge ad blockers.

      • I’m surprised Google hasn’t stopped this. So much shit comes from the scripts. Most of the malware I read about its from bad ads etc.

Show more comments

Log in to comment on this story!