Hackers are targeting YouTube ads to install mining malware which hijacks an unsuspecting user’s CPUs in order to mine cryptocurrency.
While crypto jacking is a relatively new phenomenon, it is proving to be lethal following the rapid development and widespread implementation of this latest hacking technique. Malicious attackers insert a piece of JavaScript code into an online platform which allows them to utilize unsuspecting victims’ CPUs to mine cryptocurrency, mostly Monero. However, crypto jackers have recently set their sights on a brand new online platform to attack victims: Google ad service advertisements on YouTube.
The hack
The cybersecurity firm, Ars Technica revealed this latest development last Friday, after several online users complained that certain YouTube ads were setting off alarms in their antimalware software. These triggers were later proven to be the JavaScript code from CoinHive that antimalware programs were picking up on. Initially, CoinHive created the script to allow small websites to generate some funds by enabling them to use their site visitors’ CPUs to mine Monero.
The concept behind the script was that website administrators would inform visitors of the mining script, give them the opportunity to opt out of it, and refrain from implementing such demanding script that the visitor’s computer crashes. While the script might have had good intentions, so far it has been mostly used for covert crypto jacking. The latest YouTube ad mining malware campaign was discovered to use up to 80% of victims’ malware, without their knowledge or consent.
The target
According to Ars Technica researchers, together with the team from Trend Micro, the hackers behind this latest campaign were using the Google DoubleClick ad service to target viewers from countries all over the world, including Spain, Italy, France, Taiwan, and Japan. The malware campaign triggered certain anti-virus software, in fact, more so than previous mining malware campaigns.
The cybersecurity firm added that in nine out of ten instances, hackers used the easily available CoinHive code to launch their malware campaign.
Interestingly, Trend Micro researchers discovered that in about 10% of mining malware campaigns, the hackers used a mining script that they designed themselves, ostensibly to evade the 30% profit demanded by CoinHive.
The solution
According to a YouTube spokesperson, the company was aware of the growing issue, despite it being a hacking technique that only surfaced in 2017. The spokesperson confirmed that any mining malware violates YouTube’s policies and that the company was actively monitoring its platform to catch and address such violations. The spokesperson added that YouTube uses a multi-layered system to detect threats. The spokesperson concluded that in the latest instance, the malicious ads were deleted and the culprits apprehended within two hours of detection.
However, Trend Micro’s report states otherwise.
According to a report from the cybersecurity company, the mining malware campaign was active for at least a week before being addressed. The YouTube spokesperson did not wish to comment on this.
YouTube insiders have claimed that the two-hour period was referring to each individual ad, and not the entirety of the campaign.
To launch a campaign of this scale, the hacker has to submit an ad free from malicious code via a regular YouTube account. After YouTube has approved the clean ad and it goes live, the attackers use cloaking techniques to bypass detection on YouTube’s platform and then swaps out the clean ad with the mining malware ad. Once detected, about two hours later, the ad is deleted, and the offending user’s account is removed from YouTube.
The system is likely to become an ever-growing one for both the YouTube and Google platform. While the script is not necessarily dangerous is does pose an infringement on user privacy as their CPUs are utilized without their knowledge and consent, while hackers pocket all the profits.
