The clandestine mining of cryptocurrency is something that we have seen in various forms over the last year or so, in website code and Android apps. A new discovery by security firm Trend Micro shows that hackers have found a way to inject Coinhive mining code into ads that appear on YouTube.
The crypto-jacking technique means that hackers have been able to profit by using other people's CPU time to mine the Monero cryptocurrency while they watch videos. Trend Micro reports that there has been a huge increase in Coinhive web miner detections in recent days, with hackers abusing Google's DoubleClick to distribute the code through big sites including YouTube.
Trend Micro says that over the last week there has been a threefold increase in the JS_COINHIVE.GN Coinhive miner. The company says that "advertisements found on high-traffic sites not only used Coinhive [...] but also a separate web miner that connects to a private pool," and explains that it shared its finding with Google.
Writing about its finding in a blog post, Trend Micro explains:

We detected an almost 285 percent increase in the number of Coinhive miners on January 24. We started seeing an increase in traffic to five malicious domains on January 18. After closely examining the network traffic, we discovered that the traffic came from DoubleClick advertisements.
An analysis of the malvertisement-riddled pages revealed two different web miner scripts embedded and a script that displays the advertisement from DoubleClick. The affected webpage will show the legitimate advertisement while the two web miners covertly perform their task. We speculate that the attackers' use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices. The traffic involving the abovementioned cryptocurrency miners has since decreased after January 24.

The impact of the crypto-miners was far from insignificant -- they had been configured to use 80 percent of CPU resources for mining purposes. By using an obfuscated private miner, the hackers were also able to bypass Coinhive's commission fee.
Trend Micro recommends blocking Javascript to prevent issues like this from arising, but Google has already taken action against the problematic ads.

NEWS

Another case of “cryptojacking” was detected on YouTube and resolved by Google over the course of this week, Ars Technica reported Friday, Jan. 26. According to the report, anonymous hackers have managed to run ads on YouTube that consumed the visitors’ CPU power and electricity in order to mine cryptocurrencies for the attackers.

The users started posting complaints on social media this week telling that their antivirus programs detected cryptocurrency mining code in the ads that have been displayed to them by Youtube.
According to the report of the cyber security company Trend Micro, the attackers have managed to place mining malware on YouTube via the Google DoubleClick advertising platform. The ads disproportionately  targeted users from Japan, France, Taiwan, Italy, and Spain.
The vast majority - ninety percent - of ads were using JavaScript code provided by Coinhive, a controversial cryptocurrency mining platform that allows its subscribers to earn income by using other people’s computing power in an unauthorized manner.
As has been discovered by Trend Micro on Friday, the YouTube ads have been responsible for a threefold increase in Web miner detections worldwide.
In reaction to complaints from the users, Google - who owns YouTube - has announced that the situation has been resolved in a couple of hours. According to an email from the company, "the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms."
However, there is still no precise information about the timeframe of the events as Google didn’t provide any additional data, while Trend Micro claims that the warnings about the abusive ads started emerging as early as Jan.18.
Earlier this month, the software security firm Check Point issued a report about a sharp increase in the prevalence of crypto-mining malware, stating that 55% of businesses worldwide are affected by the attacks. The report declared Coinhive to be the number 1 “Most Wanted Malware.”



The concept of in-browser mining scripts has garnered a bit of a bad reputation over the past few months. No one likes the idea of someone else using their CPU to mine cryptocurrencies without consent. It now seems this trend is expanding via YouTube. More specifically, the video platform is displaying ads which use visitors’ CPUs to generate digital currency. It is a very worrisome development that will anger a lot of users.

IS YOUTUBE NOW MINING CRYPTO?

It is evident there is growing interest in mining cryptocurrencies with someone else’s computer and computing resources. This has been going on for quite some time now, and it seems things will not be improving anytime soon. Injecting cryptocurrency mining scripts into YouTube ads is a clever trick, but it’s also one of the more worrisome developments in recent weeks.
According to a recent Ars Technica article, multiple users have reported these annoying YouTube advertisements. It is unclear where the ads came from or who managed to get them on YouTube. Considering that this video platform continues to gain popularity all over the world, it is only normal that it will attract the attention of criminals as well. Purposefully inserting such scripts in advertisements displayed on the platform is rather troublesome, although it seems most of these ads have been removed.
Most of the advertisements in question contained hidden code related to the Monero browser mining scripts we have seen over the past few months. Changing between browsers made no major difference, which indicates that the script used was rather versatile and professional. It is uncanny how far some people are willing to go when it comes to making money, although this attempt is by far one of the more brazen that we have seen to date.
Trend Micro investigated these reports, and they noticed that the ads resulted in 300% more web miner detections. It seems the code made its way onto YouTube by exploiting Google’s DoubleClick ad platform. More specifically, the criminals successfully targeted countries in which YouTube is especially popular, including Japan, France, and Spain. All of the advertisements contained JavaScript, which is the catalyst for mining Monero using other people’s computing resources.
Surprisingly, of these ads, nine out of ten used the Coinhive mining script, whereas the remaining one utilized a private mining JavaScript. Said script was more lucrative for the attackers, as it removed the reliance on Coinhive altogether. Considering that this company charges a 30% cut of all mining profits, it is only normal that there would be an interest in coming up with ways to eliminate the middleman.
It is evident that we will see more efforts like these in the future. Now that some people have found a way to integrate cryptocurrency mining scripts into YouTube ads, it’s not unlikely that other video streaming platforms will be affected as well. We can only hope such issues are thwarted within 2 hours, as happened in this case. At the same time, some users complained that these advertisements remained online for over a week. Web-based cryptocurrency mining has quickly taken a turn for the worse, but this is not the last we will hear regarding this development