Hackers hijack YouTube ads with Coinhive to mine Monero cryptocurrency

The clandestine mining of cryptocurrency is something that we have seen in various forms over the last year or so, in website code and Android apps. A new discovery by security firm Trend Micro shows that hackers have found a way to inject Coinhive mining code into ads that appear on YouTube.

The crypto-jacking technique means that hackers have been able to profit by using other people's CPU time to mine the Monero cryptocurrency while they watch videos. Trend Micro reports that there has been a huge increase in Coinhive web miner detections in recent days, with hackers abusing Google's DoubleClick to distribute the code through big sites including YouTube.

See also:

Trend Micro says that over the last week there has been a threefold increase in the JS_COINHIVE.GN Coinhive miner. The company says that "advertisements found on high-traffic sites not only used Coinhive [...] but also a separate web miner that connects to a private pool," and explains that it shared its finding with Google.

Writing about its finding in a blog post, Trend Micro explains:

We detected an almost 285 percent increase in the number of Coinhive miners on January 24. We started seeing an increase in traffic to five malicious domains on January 18. After closely examining the network traffic, we discovered that the traffic came from DoubleClick advertisements.

An analysis of the malvertisement-riddled pages revealed two different web miner scripts embedded and a script that displays the advertisement from DoubleClick. The affected webpage will show the legitimate advertisement while the two web miners covertly perform their task. We speculate that the attackers' use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices. The traffic involving the abovementioned cryptocurrency miners has since decreased after January 24.

The impact of the crypto-miners was far from insignificant -- they had been configured to use 80 percent of CPU resources for mining purposes. By using an obfuscated private miner, the hackers were also able to bypass Coinhive's commission fee.

Trend Micro recommends blocking Javascript to prevent issues like this from arising, but Google has already taken action against the problematic ads.

Image credit: Ryzhi / Shutterstock