Cryptocurrency miners use YouTube to consume CPU and electricity from visitors

Recently it was discovered that YouTube showed ads that were secretly filtering the CPUs and the electricity of the visitors to generate digital currencies, especially Monero, in the name of anonymous attackers.

The news was made public this week when several people used social networks to complain that their antivirus programs detected the crypto currency code when they visited YouTube. The warnings came even when people changed the browser they were using, and the warnings seemed to be limited to the times that users were on YouTube.

In this regard, @ArungLaksmana says on Twitter that now every time he watches Youtube "my antivirus always blocks Coinhive because it is malware". And the user @diegobetto also expressed: "During normal browsing on YouTube, at some point, the antivirus Avast reported something that was not good. From Chrome Inspector, it seems that one of the ads is infected. "

Researchers with antivirus vendor Trend Micro said the ads helped generate a more than threefold increase in mine detection on the web. They added that the attackers behind the ads were abusing Google's DoubleClick ad platform to show them to YouTube visitors in selected countries, such as Japan, France, Taiwan, Italy and Spain.

The ads contain JavaScript that mines the Monero digital currency. In nine out of 10 cases, the ads used publicly available JavaScript provided by Coinhive, an encryption currency mining service that is controversial because it allows subscribers to make profits by surreptitiously using other people's computers. The remaining 10% of YouTube ads use private JavaScript mining that saves attackers from the 30% cut Coinhive charges. Both scripts are programmed to consume 80% of a visitor's CPU, leaving barely enough resources for it to work.

"YouTube was probably a target because users are usually on the site for a long period of time," security researcher Troy Mursch told Ars. "This is a prime objective for cryptographic malware, because the longer users are looking for cryptocurrencies, the more money is earned." Mursch said a September campaign that used the Showtime website to deliver cryptocurrency ads is another example of attackers targeting a video site.

To make matters worse, the malicious code of JavaScript in at least some cases was accompanied by graphics that show advertisements of fake antivirus programs, which scam people and often install malware when they are executed.

The announcement denounced here came out last Tuesday. Like the ads analyzed by Trend Micro and published on social networks, he extracted coins from Monero on behalf of someone with the Coinhive site key of "h7axC8ytzLJhIxxvIHMeC0Iw0SPoDwCK". It is not possible to know how many coins the user has generated so far. Trend Micro said the campaign began on January 18. In an email sent when this publication was underway, a Google representative wrote:

Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and that we have been actively monitoring. We enforce our policies through a multi-layered detection system on all of our platforms that we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms. "

It is unclear what the representative was referring to when he said that the ads had been blocked in less than two hours. The evidence provided by Trend Micro and on social networks showed that several warnings