Old fashioned carts in a gold mine

Attackers hide cryptocurrency mining scripts in YouTube ads

Image credit: Dreamstime

Ads containing cryptocurrency mining scripts have been discovered making their way surreptitiously onto popular websites, including YouTube, using Google’s DoubleClick ad delivery system.

Mining cryptocurrency - the solving of complex cryptographic problems in order to verify cryptocurrency transactions - can reap a small financial reward, but it takes a colossal amount of computational power and electricity to significant generate profits.

One of the more dishonest ways in which a profit can be made without running up expensive electricity bills is to use other people’s computers to do the computationally expensive work. Scripts such as Coinhive - a script originally billed as an “alternative to ads” - are delivered to the computer of a web page visitor and then use the CPU to mine a cryptocurrency. This practice has been nicknamed “cryptojacking”.

Coinhive hit the headlines in September 2017 when it was revealed that Showtime and other websites had been using the in-browser miner without informing their visitors.

A recent report from cyber security company Trend Micro suggests that a group of attackers began “abusing” Google’s DoubleClick platform – which provides online advertising services – to deliver Coinhive and another in-browser miner around January 18 2018. The volume of operations almost tripled around January 23.

The Trend Micro researchers suggested that this was when the ads containing the in-browser miners began to appear on YouTube.

“We started seeing an increase in traffic to five malicious domains on January 18. After closely examining the network traffic, we discovered that the traffic came from DoubleClick advertisements,” the researchers wrote in the report.

The miners are typically blocked by antivirus software and were only able to load on YouTube due to being hidden in JavaScript code within the ads displayed on the page.

“An analysis of the malvertisement-riddled pages revealed two different web miner scripts embedded and a script that displays the advertisement from DoubleClick. The affected web page will show the legitimate advertisemet while the two web miners covertly perform their task,” they wrote.

“We speculate that the attackers’ use of these advertisements on legitimate web sites is a plot to target a larger number of users, in comparison to only that of compromised devices.”

Affected countries include Japan, France, Italy, Spain and the Republic of China (Taiwan).

Since Coinhive’s launch in September last year, in-browser cryptocurrency miners have exploded in popularity and could already be affecting half a billion internet users, according to estimates. These scripts - which often slow down computers - can be stopped using antivirus software, as well as adblocking and no-JavaScript add-ons for web browsers.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles