Abuse of Google DoubleClick leads to crypto-miners on YouTube ads

by Alice Woods - - 2018-01-30

Hackers managed to compromise Google's DoubleClick platform to serve ads with crypto-mining malware on YouTube

Youtube ads were used to mine cryptocurrency

On January 26, experts have reported that anonymous hackers managed to abuse Google's DoubleClick advertising platform to deliver YouTube ads which stealthily mine cryptocurrency in the background. Users were complaining that their antivirus programs were blocking Youtube virus^[1].

It seems that security software had detected a crypto-mining code which exploits excessive amounts of users' CPU power to mine cryptocurrency and generate illegal profits for the attackers. According to the analysis, criminals have misused legal Monero JavaScript mining services provided by Coinhive^[2].

Google has reported that they have quickly resolved the problem and the accounts in DoubleClick and YouTubewhich are supposedly responsible for such actions were removed^[3]:

The ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.

However, malware researchers say that the attackers have created malicious ads which were particularly targeting people from Spain, Taiwan, Japan, Italy, France and they are responsible for a 285% increase in crypto-mining malware detections worldwide.

The peculiarities of the cryptojacking attack

Ads displayed on Youtube contained a Javascript code which is freely accessible online. The developers of the script, Coinhive, takes 30% of the generated profit. Likewise, people find it as a fair deal since the code is active and allows mining cryptocurrency as long as the website is open.

This is the main reason why security researcher, Troy Mursch, believes that attackers chose YouTube on purpose — people usually stay on the site for long periods of time^[4]:

YouTube was likely targeted because users are typically on the site for an extended period of time. This is a prime target for cryptojacking malware, because the longer the users are mining for cryptocurrency the more money is made.

Another interesting thing that was found is that the criminals used two separate crypto-miners. 90% of the time YouTube ads used the original Javascript code by Coinhive. However, 10% of the time they activated a private crypto-mining malware which was altered in a way to save the 30% cut which the developers take.

Countermeasures every computer user should take

It is quite evident that using a professional security software today is a must. In this case, users were notified about the malicious script running in the background shortly after the antivirus detected it. Thus, the easiest way to protect your system from cryptojacking is employing a robust malware removal tool.

Another great way to avoid crypto-mining malware is to block JavaScript-based applications from running on browsers^[5]. This should help prevent Coinhive miners from using your CPU resources without your permission.

About the author

Alice Woods - Likes to teach users about virus prevention

Alice Woods is the News Editor at 2-spyware. She has been sharing her knowledge and research data with 2spyware readers since 2014.

Contact Alice Woods
About the company Esolutions

References

^ Lucia Danes. Youtube virus. How to remove? (Uninstall guide). 2Spyware. Security and Spyware News.
^ Aatif Sulleyman. Malicious YouTube ads secretly slowed down computers and earned Bitcoin alternative Monero for the attackers. The Independent. UK and Worldwide News.
^ Helen Partz. Crypto-Mining Malware Epidemic: 55% of Businesses Affected Worldwide, Including YouTube. Cointelegraph. Bitcoin & Ethereum Blockchain News.
^ Dan Godin. Now even YouTube serves ads with CPU-draining cryptocurrency miners. Ars Technica. News and opinions in technology, science, politics, and society.
^ Chaoying Liu and Joseph C. Chen. Malvertising Campaign Abuses Google’s DoubleClick to Deliver Cryptocurrency Miners. TrendMicro. Enterprise Cyber Security Solutions.