Sunday, September 25, 2022

Illegal Cryptocurrency Mining Scripts Target YouTube Viewers

Illegal Cryptocurrency Mining Scripts Target YouTube Viewers

Trend Micro researchers — a Japanese cyber-security company — divulged that crypto mining scripts have been attacking YouTube viewers by using their CPU power to illegally mine cryptocurrencies. Recently, Coinhive has been a popular way to mine cryptocurrency using a victim’s computer, and it’s found its way into YouTube ads.

Also read: British PM Theresa May to Closely Scrutinize Bitcoin, Crypto

Subscribe to the Bitsonline YouTube channel for more great videos featuring industry insiders & experts

Coinhive Scripts Now on YouTube Ads

As the Trend Micro blog explains: “We started seeing an increase in traffic to five malicious domains on January 18th. After closely examining the network traffic, we discovered that the traffic came from DoubleClick advertisements.”

YouTube users were reporting on social media that the video platform has been draining their CPU power. Trend Micro researchers pointed out that the malicious agent or agents responsible have targeted users in France, Japan, Italy, Taiwan and Spain.

Usually, most hackers use the open source JavaScript made available by Coinhive to mine Monero (XMR) — a bitcoin substitute. Coinhive can eat up to 90% of a CPU’s power accordingly.

Tory Mursch — an independent security researcher — told Ars Technica:

“YouTube was likely targeted because users are typically on the site for an extended period of time. This is a prime target for cryptojacking malware, because the longer the users are mining for cryptocurrency the more money is made.”

The abusive JavaScript ads masqueraded as fraud AV programs. Once a user clicks on it, the malware installs on the victim’s computer. The ad was then injected and produced the following result:


The hacker with the Coinhive site key “h7axC8ytzLJhIxxvIHMeC0Iw0SPoDwCK” ran these cryptojacking scripts to mine Monero.

Google Resolves the Issue?

A Google representative said the attack vector in question was resolved within two hours. An official statement from the company read:

“Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”

However, Trend Micro and accrued social media evidence indicates that these ads continued to operate for more than a week after Google assured that the issue was resolved.

According to Trend Micro, restricting all JavaScript-based application on browsers can stop these scripts from leaching the CPU power. In the past, Trend Micro warned against cryptocurrency mining malware that used Facebook Messenger to mine Monero.

Trend Micro blog stated, “We detected an almost 285% increase in the number of Coinhive miners on January 24th.” Many predict these activities to expand, and not decrease, over time.

Will cryptojacking activities multiply over time? Let us know your thoughts in comments section.

Images via The Independent, Ars Technica

Bitsonline Email Newsletter