Mining Monero
The malvertising campaign was detailed by security firm Trend Micro in a blog post late last week. It was large enough to create a temporary tripling in the number of active Coinhive miners. Coinhive is a service which provides JavaScript cryptocurrency mining scripts that can run inside web browsers.
Analysis of the surge in traffic revealed it was originating from adverts hosted on Google’s DoubleClick network that were displayed alongside YouTube videos. As unknowing users browsed the site and watched content, the ads silently mined coins of the Monero cryptocurrency for the attackers. It’s impossible to determine how many coins the campaign could have mined.
The scripts were configured to use up to 80% of the device’s CPU power, implying the attacker was trying to avoid detection. Because cryptocurrency mining is a performance-intensive operation, the user is likely to notice significant performance slowdowns on their device. The processor throttling prevents the script from consuming all the device’s resources, which could mitigate some of the slowdowns and prevent the user from noticing.
“Multi-layered detection”
Ads that employ cryptocurrency mining scripts to create revenue are a new form of attack that first gained attention last year. Streaming services such as YouTube are ideal targets because users tend to spend a long time on each page. While watching a YouTube video, an ad could be displayed uninterrupted for multiple minutes at a time, maximising coin production.
In a statement to Ars Technica last week, Google confirmed the breach of YouTube’s ad policies and said it’s taking steps to prevent future similar campaigns. The company claimed it removed the ads “in less than two hours,” although it hasn’t clarified the timeline of events.
READ NEXT: Report: Microsoft building new “modern” Windows 10 version
“Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively,” said Google. “We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”
The soaring value of cryptocurrencies last year has helped make mining scripts into an attractive form of attack for hackers. Well-crafted campaigns can avoid the user’s attention entirely while generating substantial revenue.
There are steps users can take to prevent the activity, such as installing a browser security extension. This can help to minimise the attack’s impact and prevent websites from consuming excessive resources.
