Hackers are using YouTube Ads to Mine Monero Cryptocurrency

Did you visit YouTube from January 18th to January 26th? There is a chance your browser was used by hackers to generate Monero cryptocurrency.

Since the value of Bitcoin has increased hackers and cybercriminals are taking advantage of every situation they can use to make easy money. This time, however, in a shocking event it has been identified that ads on Google’s YouTube, a popular video-sharing website, were using computing power (CPU) of its visitors to generate Monero cryptocurrency without their knowledge or permission.

CoinHive code on YouTube ads

It all started on January 25th when an Italian web developer Diego Betto, Tweeted that while visiting YouTube he noticed his CPU usage suddenly increased hinting at the presence of cryptocurrency minor on the site. On further analysis, Betto found out YouTube ads were infected with CoinHive JavaScript code to mine Monero.

Hackers are using YouTube Ads to Mine Monero Cryptocurrency
Diego Betto’s CPU usage on YouTube

More: The biggest hack in the history of cryptocurrency $534 Million stolen

CoinHive is a company that provides cryptocurrency miner, which sends any coins mined by the browser to the owner of the website, application or extension. Since September 2017 there have been more than 5000 websites that have been compromised to mine Monero through CoinHive.

On the other hand, CloudFlare considers the secret use of CoinHive code as using malware against site visitors. To prove its point, the security firm booted off one of its customers in October for using the CoinHive code and not allowing users to opt out of it or disable the code.

Was YouTube compromised?

In a conversation with ArsTechnica, YouTube acknowledged the misuse of its ads but claims that the infected ads were blocked within two hours and malicious actors were also removed from its platforms.

“Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”

However, according to a report published by the cybersecurity firm TrendMicro on January 26th, it was revealed hackers have been conducting Malvertising campaigns which abuses Google’s DoubleClick ad platform to run cryptocurrency miners.

The whole campaign was going on since January 18th, 2018 which means it took Google more than a week to get rid of CoinHive miners after the researchers informed Google about the issue in which users from Italy, France, Japan, Spain, and Taiwan were the prime target.

In a conversation with Las Vegas-based security researcher Troy Mursch (“Bad Packets” on Twitter), HackRead was told that “It could be the poor result of screening ads by YouTube, however, the point is that I think they did it intentionally.”

YouTube a gem for cybercriminals

According to Alexa ranking, YouTube is the second most visited website in the world where visitors spend tons of time. The longer the user stays on a site infected with cryptocurrency miner the more Monero it generates for cybercriminals just like two Showtime video websites that were infected with a CoinHive minor in September last year.

Moreover, websites providing Torrent sites are also a lucrative target for website owners and cybercriminals since visitors spend quite some time on the site to search and download Torrent files. Remember, The Pirate Bay was caught twice secretly using CoinHive minor on the site.

How to block cryptocurrency mining

There are several ways of blocking cryptocurrency minors from using your browser and CPU power including minerBlock and No Coin extensions on Chrome web store developed for the sole purpose of blocking cryptocurrency mining and cryptojacking. Both extensions are open source and open to the public, users can check out the source code on Github here and here.

Opera Browser

Opera browser is a valuable line of defense against such cryptocurrency mining. Opera 50 prevents websites from hijacking your browser to mine cryptocurrency while its apps on Android and iOS store are equipped with anti-cryptocurrency mining capability which stops malicious apps from hijacking your device to mine cryptocurrencies.

Remember, desktops are not the only target here since security researchers also exposed the presence of Monero mining apps on Play Store while there are several third-party sites providing APKs infected with Coinhive.

More: BlackBerry Mobile Website hacked to mine Monero via Coinhive

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.