YouTube ads silently serving Coinhinve cryptominers
YouTube ads silently serving Coinhinve cryptominers

A malvertising campaign was observed exploiting Google's DoubleClick network to deliver silent cryptominers on high-traffic sites.

Trend Micro researchers detected an almost 285% increase in the number of Coinhive miners on January 24 and started seeing an increase in traffic to five malicious domains on January 18, according to a Jan. 26 blog post.

Researchers spotted two different web miner scripts embedded in the pages along with a script that displays the advertisement from DoubleClick. Victims will see a legitimate advertisement while two silent cryptominers run in the background.

“We speculate that the attackers' use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices,” researchers said in the post.

The advertisement contains a JavaScript code that generates a random number between 1 and 101 and if the generated number is above 10, the script will call out coinhive.min.js to mine 80% of the CPU power, which is what happens nine out of ten times, researchers added.

TrendMicro researchers weren't the only ones to spot the problem. Independent researcher Diego Betto spotted YouTube serving ads laced with CPU-draining Coinive Monero cyrptominers late last week.

During normal browsing on YouTube, at some point, the antivirus Avast reported something that was not good.” Betto said in a Jan 25 blog post. From the Chrome Inspector it appears that one of the ads is infected and tries to load a crypto miner from Coinhive.”

Betto wasn't the only one to notice the silent cryptominers as others voiced their frustration across Twitter and other social media channels.

In addition to the attackers stealing CPU cycles, the malicious JavaScript in some cases was also accompanied by graphics that displayed ads for fake AV programs that scam people out of money and often contain malware.The researchers reported everything to Google.

“Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies  and one that we've been monitoring actively,” a Google spokesperson told SC Media. “We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”

Last year, Crowdstrike researchers spotted several cases in which cryptomining software halted business operations when systems and applications crashed due to the high CPU speeds, a contrast from under the radar CPU cycle leaching attacks seen in earlier instances.

Crowdstrike researchers said hackers had adapted a smash and grab mentality and were looking to obtain more profitability from a high volume of system resources for a short period of time. Researchers expect cybercriminals will look for more ways to weaponize cryptominers for both monetary gains and other malicious attacks.