'Drive-by' cryptomining code was discovered in YouTube ads this week

Polycount

Posts: 3,017   +590
Staff

"Cryptojacking" is nothing new but it has begun to pick up more steam in recent months. For the unaware, cryptojacking typically involves unscrupulous website owners or advertisers using JavaScript code to take advantage of a website visitor's CPU power to mine cryptocurrency in the background, without their knowledge or consent.

The Pirate Bay was one of the first websites of note to contain this sort of code but its use has only become more common over time. Indeed, the problem has become so pervasive in certain parts of the internet that web browsers such as Opera have received new features specifically designed to mitigate or eliminate these issues -- usually in the form of ad blocking filters.

While simply avoiding sketchy sites to begin with might seem like the obvious solution, the issue becomes more complicated when this code starts to appear on bigger, more well-known sites like Showtime or even YouTube.

This past week YouTuber viewers' antivirus programs began to alert them to the presence of cryptocurrency mining code throughout the website this week, specifically within YouTube's advertising code. Naturally, this led to some users hopping on Twitter to voice their concerns.

Researchers from antivirus company Trend Micro said these ads resulted in "more than a three-fold spike" in web miner detection stats. The company also said the individuals behind the ads seemed to be targeting YouTube visitors in specific countries, such as France, Taiwan, Italy, Spain and Japan.

"YouTube was likely targeted because users are typically on the site for an extended period of time," security researcher Troy Mursch said in a statement. "This is a prime target for cryptojacking malware, because the longer the users are mining for cryptocurrency the more money is made."

This may not seem like a significant issue but background miners can hog quite a bit of a given system's computing power if left unchecked, as much as 80 percent according to Trend Micro.

Google issued the following statement on the matter:

Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.

As Ars noted, evidence supplied by Trend Micro seems to contradict Google's statement. The antivirus company has shown several examples of these ads being in place for the better part of a week, which is certainly longer than the two hours Google claims it took to shut the scheme down.

Permalink to story.

 
I'm running an Intel G-41 board with the stock IGP. I'm wondering how much mining could this rig accomplish?
 
Last edited:
Ads have no benefit to anyone and they seem to be harmful as well. Maybe it's time to ban all ads. Or at least make them text based and limited to 20 letters; product name and what it does. And make lying illegal, that would fix most problems. You can use science to prove stuff if not your product is based on a lie.
 
I demand YouTube send me another 1080ti for this gross negligence in advertising security.

I think there would be more consequences to you going against google for it to be worth it. They own so much now and they have so much money anything but a class action is just going to get snuffed out by their lawyers. Even then that doesn't stop them from banning you from google services.
 
For now, this malicious ads are using the CPU for mining, not the graphics card.
Well, with an ancient Pentium Dual Core E-6300 in this "beast", I don't think I have too much to worry about in that department either.

While I was being a bit whimsical about my graphics card's memory bandwidth, you bring up a fair point. All I have to do is, listen for the CPU fan to speed up, and / or, leave Task manager running throughout my online activities to see what's going on.

Even so, were this machine to be attacked, you couldn't get a nickel's worth of Bitcoin out of it, even if I stayed on the site for a month and a half.

But, this issue does pose the question as to whether or not, "coinhive", is detectable as a running process?
 
Last edited:
Back