YouTube

Some smart crooks found a way to insert and deliver the Coinhive in-browser miner inside ads delivered via the Google DoubleClick ad delivery platform.

Ads delivered this way made their way on countless sites, and even on Google's own property —YouTube.

A Trend Micro report released today claims the crooks behind this campaign started abusing Google's DoubleClick platform to deliver the Coinhive in-browser miner around January 18 and significantly ramped up operations on January 23.

Coinhive detections in recent DoubleClick malvertising campaign

The chart above shows Coinhive detections for this malvertising campaign abusing Google DoubleClick.

Crooks deployed Coinhive on YouTube on January 23

The huge spike represents the moment when crooks decided to deliver the Coinhive-tainted ads on YouTube, the world's largest video hosting platform.

Reports immediately started appearing on Twitter [1, 2, 3, 4, 5, 6, 7, 8]. According to some of these reports, various antivirus products began detecting the Coinhive cryptojacker when users were visiting YouTube, a place where Coinhive would have never been able to load except via malicious JavaScript code hidden in one of the numerous ads displayed on video pages.

The Coinhive service appeared last September and has described itself as a website monetization service that could be employed as an alternative to classic online ads. The service uses JavaScript code to mine the Monero cryptocurrency inside the browser of a site's visitor.

Despite its good intentions, the service has been abused by crooks, who load the Coinhive in-browser miner on hacked sites, via malicious ads, inside desktop apps and game mods, and any other place that can run JavaScript code.

After Coinhive's initial success, various similar services have also launched online. These services operate by taking a small cut of the cryptocurrency website owners mine using their visitors' PCs.

This practice of secretly loading a JavaScript miner inside browsers and other JS-capable apps is being called cryptojacking or drive-by mining.

Currently, only ad blockers, no-JavaScript browser extensions, and antivirus products have proven efficient at blocking cryptojacking scripts.

Related Articles:

Cryptojacking Android Apps Continue To Plague Google Play Store

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

Fake Elon Musk Twitter Bitcoin Scam Earned 180K in One Day

Mac CryptoCurrency Price Tracker Caught Installing Backdoors

Exposed Docker APIs Continue to Be Used for Cryptojacking