YouTube Ads Targeted By Hackers Mining Cryptocurrency
Hackers who covertly exploit an internet user's CPU power to mine cryptocurrencies have found a new way to do the job -- through YouTube ads.
It is no secret that despite its constantly fluctuating market value, digital currencies now cost a lot of money. This is why it is not surprising that many internet crooks are taking advantage of unsuspecting users to earn a lot of them.
This month, security researchers from Trend Micro discovered the hackers' scheme that they called a "malvertising campaign." As the name suggests, perpetrators use advertisements to covertly mine cryptocurrencies using the JavaScript language Coinhive.
"Attackers abused Google's DoubleClick, which develops and provides internet ad serving services, for traffic distribution. Data from the Trend Micro Smart Protection Network shows affected countries include Japan, France, Taiwan, Italy, and Spain," Trend Micro's researchers explained in the company's blog.
In the same blog post, it was also revealed that Trend Micro had noticed a massive spike in Coinhive mining activity on Jan. 24, which was increased by up to 285 percent compared to their normal operations. After further digging, the researchers found that these abnormal activities had actually started on Jan. 18 where "five malicious domains" saw a higher mining traffic. This means the malvertising campaign went unnoticed for at least a week.
Trend Micro researchers added: "An analysis of the malvertisement-riddled pages revealed two different web miner scripts embedded and a script that displays the advertisement from DoubleClick. The affected webpage will show the legitimate advertisement while the two web miners covertly perform their task."
YouTube advertisements are good targets for cryptocurrency mining since people using the platform tend to stay in it for longer periods compared to targeting specific websites where users can just come and go after reading or getting the information they need.
In light of this discovery, users are advised to install security patches when they are available. For a higher level of protection, people can also choose to disable applications running on JavaScript from opening in their browsers.
Meanwhile, Trend Micro alerted Google of their findings before they were published. A spokesperson for Google told Media Post: "We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge."
The spokesperson then added: "In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms."
The use of Coinhive JavaScript has been a favorite option for hackers because they are easier to apply to a domain without getting detected right away. The same tool was previously used by a hacker who altered the official website of cable network Showtime and the Google Chrome Extension called Archive Poster.