Thursday, May 26

YouTube Ads Infected by Cryptocurrency Malware

The problem of cryptocurrency mining malware embedded in online ads reared its ugly head in a big way last week, as several malicious ads appeared on YouTube. This happened because a rogue actor injected corrupt content into Google’s own DoubleClick ad network.

(Image credit: Image credit: pathdoc / Shutterstock)

The ads were designed to consume 80 percent of the victim’s CPU time to “mine” the Monero cryptocurrency, but they did not harm computers or steal data.

“Hi @avast_antivirus, it looks like you are blocking crypto miners (#coinhive) on @YouTube #ads Thank you :)” the Italian web designer tweeted. Diego Betto last Thursday (January 25).

Google has nipped the problem in the bud for now, but this won’t be the last time something similar has happened to YouTube or other prominent websites.

What you should do

To ensure that you are protected against “malicious advertising”, be sure to run third-party antivirus software that inspects the web pages you load. You might also consider running a script blocker or ad blocker on some or all of your web browsers. However, ad blocker publishers (including this one) cannot generate revenue.

Most good antivirus programs will filter the URLs that your web browsers connect to. Microsoft’s built-in Windows Defender does this too, but only for Internet Explorer and Edge. To get similar protection for Google Chrome, Mozilla Firefox, or Apple Safari, you will need to use a third-party product. Alternatively, you can switch to Opera, a free browser that has a built-in ad blocker.

How did this happen?

Researchers at antivirus maker Trend Micro were among the first to spot the problem. In a company blog post On Friday (January 26), they said that they ‘detected a nearly 285 percent increase in the number of Coinhive miners on January 24’, but that they ‘began to see an increase in traffic to five malicious domains on January 18. from January”. Most of the cryptocurrency mining activity was observed in France, Italy, Japan, Spain, and Taiwan.

Coinhive is a legitimate browser-based cryptocurrency mining operation that some website operators implement to increase revenue, although they are supposed to notify visitors that their CPUs are being temporarily leveraged to make money for the site. Mine Monero, a cryptocurrency that is easier to mine than Bitcoin.

Unfortunately, the Coinhive script is easy to inject into a site’s code. For the past few months, criminals have been infecting websites without the consent of the site administrators, then directing the money generated to their own cryptocurrency wallets.

Putting Coinhive’s code in online ads was the inevitable next step. The chaotic and decentralized nature of the online advertising marketplace allows bad actors to serve malicious ads high above the websites that end up showing them, and those sites often never find out where the bad ads are coming from.

Trend Micro researchers found that the malvertising code implemented the standard Coinhive script 90 percent of the time, but used an off-brand script the other 10 percent of the time, perhaps to circumvent the 30 percent commission fee. percent of Coinhive.

Under the radar

Regular advertisements are shown throughout this process, Trend Micro said, so the end user won’t notice unless they check their CPU usage. Nevertheless, Ars Technica reported that some of the malicious scripts generated advertisements for rogue antivirus software, which DoubleClick would not normally allow.

Google told Ars Technica and Register that “[i]In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms. That’s not entirely in line with Trend Micro’s observation that the malvertising activity lasted for six days, from January 18-18. 24, but in any case, the ads are gone for now.

Leave a Reply

Your email address will not be published.