Hackers are targeting YouTube ads to install mining malware which hijacks an unsuspecting user’s CPUs in order to mine cryptocurrency.
The concept behind the script was that website administrators would inform visitors of the mining script, give them the opportunity to opt out of it, and refrain from implementing such demanding script that the visitor’s computer crashes. While the script might have had good intentions, so far it has been mostly used for covert crypto jacking. The latest YouTube ad mining malware campaign was discovered to use up to 80% of victims’ malware, without their knowledge or consent.
According to Ars Technica researchers, together with the team from Trend Micro, the hackers behind this latest campaign were using the Google DoubleClick ad service to target viewers from countries all over the world, including Spain, Italy, France, Taiwan, and Japan. The malware campaign triggered certain anti-virus software, in fact, more so than previous mining malware campaigns.
The cybersecurity firm added that in nine out of ten instances, hackers used the easily available CoinHive code to launch their malware campaign.
Interestingly, Trend Micro researchers discovered that in about 10% of mining malware campaigns, the hackers used a mining script that they designed themselves, ostensibly to evade the 30% profit demanded by CoinHive.
According to a YouTube spokesperson, the company was aware of the growing issue, despite it being a hacking technique that only surfaced in 2017. The spokesperson confirmed that any mining malware violates YouTube’s policies and that the company was actively monitoring its platform to catch and address such violations. The spokesperson added that YouTube uses a multi-layered system to detect threats. The spokesperson concluded that in the latest instance, the malicious ads were deleted and the culprits apprehended within two hours of detection.
However, Trend Micro’s report states otherwise.
According to a report from the cybersecurity company, the mining malware campaign was active for at least a week before being addressed. The YouTube spokesperson did not wish to comment on this.
YouTube insiders have claimed that the two-hour period was referring to each individual ad, and not the entirety of the campaign.
To launch a campaign of this scale, the hacker has to submit an ad free from malicious code via a regular YouTube account. After YouTube has approved the clean ad and it goes live, the attackers use cloaking techniques to bypass detection on YouTube’s platform and then swaps out the clean ad with the mining malware ad. Once detected, about two hours later, the ad is deleted, and the offending user’s account is removed from YouTube.
The system is likely to become an ever-growing one for both the YouTube and Google platform. While the script is not necessarily dangerous is does pose an infringement on user privacy as their CPUs are utilized without their knowledge and consent, while hackers pocket all the profits.