YouTube ads found to be mining Monero cryptocurrency
A new spate of cryptojacking ads has been found on YouTube, in some cases doubled up with more traditional malware.
Cryptojacking is when someone uses your computing power without permission to mine cryptocurrency for themselves. Cryptojacking will often happen when visiting malicious or compromised websites, and will often take the form of popup ads.
Now a new variety of cryptojacking ads has been uncovered on YouTube, running in the top right advertisement corner. But instead of simply being annoying, they consume large amounts of computing power to mine cryptocurrency for their owner.
In this case, they were programmed to consume up to 80% of the viewers' computing power, and mine the Monero (XMR) cryptocurrency, reports Ars Technica. The cryptojackers were caught by adblockers, and appear to have been widely rolled out in countries including Spain, Italy, Japan and Taiwan.
According to Trend Micro, this cryptojacking ad campaign started 18 January and resulted in a more than three-fold spike in cryptojacker detections.
YouTube was likely targeted because people are on the site for a considerable amount of time, explained security researcher Troy Mursch to Ars Technica. The longer people stay there, the longer the miners can leech their computing power.
Around 90% of the cryptojacking ads used a publicly available CoinHive script. CoinHive is essentially an open source cryptojacking code supplier that takes 30% of the profits when its code is used. Sometimes the cryptojacking ads would also be doubled up with more conventional malicious ads, inviting people to click and download malware to their computers.
Like most cryptojacking ads, these would stop running once the user closes YouTube or leaves that page. But if they ended up downloading and running the malware version, it might start up again once their computer boots up.
When Ars Technica contacted Google for a comment, it confirmed that cryptojacking through advertisements violates its policies and that it had taken steps to make sure "the malicious actors were quickly removed from our platforms".