Word of the offensive ads started no later than Tuesday, as people took to social media sites to criticize their antivirus programs were catching cryptocurrency mining code when they visited YouTube. The information came even when people modified the browser they were using, and the information seemed to be limited to times when users were on YouTube.
On Friday, researchers with antivirus provider Trend Micro said the ads sustained drive a more than a three-fold spike in Web miner discoveries. They said the criminals behind the ads were abusing Google’s DoubleClick ad platform to promote them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain.
The ads contain JavaScript that mines the digital coin known as Monero. In nine out of 10 cases, the ads will use plainly available JavaScript provided by Coinhive, a cryptocurrency-mining service that’s questionable because it allows contributors to profit by surreptitiously using other people’s computers. The prevailing 10 percent of the time, the YouTube ads use private mining JavaScript that saves the enemies the 30 percent cut Coinhive takes. Both scripts are estimated to consume 80 percent of a visitor’s CPU, leaving just barely enough support for it to operate.
“YouTube was likely targeted because users are typically on the site for an extensive period of time,” independent security researcher Troy Mursch told Ars. “This is a prime target for crypto jacking malware because the longer the users are drilling for cryptocurrency the more money is made,” Mursch said a campaign from September that used the Showtime website to give cryptocurrency-mining ads is a different example of attackers targeting a video site.
To add insult to injury, the wicked JavaScript in at least some cases were followed by graphics that displayed ads for fake AV programs, which scam people out of money and often install malware when they are run.
Take your time to comment on this article.
