The Independent's journalism is supported by our readers. When you purchase through links on our site, we may earn commission. 

Malicious YouTube ads secretly slowed down computers and earned bitcoin alternative Monero for attackers

The process is known as crypto-jacking, and it’s a growing problem

Aatif Sulleyman
Monday 29 January 2018 15:58 GMT
Comments
YouTube themed cupcakes are displayed during Murray SawChuck's 100,000 YouTube subscriber party at Planet Hollywood Resort
YouTube themed cupcakes are displayed during Murray SawChuck's 100,000 YouTube subscriber party at Planet Hollywood Resort (Gabe Ginsberg/Getty Images for Murray SawChuck)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

YouTube users’ computers were being slowed down by ads that hijacked them to secretly mine cryptocurrencies, security researchers say.

The ads forced them to help malicious actors earn the cryptocurrency Monero, a bitcoin alternative, by hogging their computer processing power.

The process is known as crypto-jacking, and it’s a growing problem.

“An analysis of the malvertisement-riddled pages revealed two different web miner scripts embedded and a script that displays the advertisement from DoubleClick,” said Trend Micro.

“The affected webpage will show the legitimate advertisement while the two web miners covertly perform their task.

“We speculate that the attackers’ use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices.”

90 per cent of the time, the malicious adverts would launch a miner called Coinhive, while in the remaining 10 per cent of cases, a private web miner would be used.

Each would covertly use up 80 per cent of victims’ computer processing power for mining, resulting in the machine running much slower than normal.

What’s more, Trend Micro says the adverts that appeared on YouTube helped drive up the volume of cryptojacking incidents involving Coinhive by almost 285 per cent.

“Attackers abused Google’s DoubleClick, which develops and provides internet ad serving services, for traffic distribution,” the company added.

“Data from the Trend Micro Smart Protection Network shows affected countries include Japan, France, Taiwan, Italy, and Spain.”

Google has now blocked the adverts from YouTube.

“Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively,” a Google spokesperson told The Independent.

“We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”

We’ve teamed up with cryptocurrency trading platform eToro. Click here to get the latest Bitcoin rates and start trading. Cryptocurrencies are a highly volatile unregulated investment product. No EU investor protection. 75% of retail investor accounts lose money when trading CFDs.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in