The mining script was noticed thanks to the Avast antivirus, which automatically blocked one of the banners. Developer Diego Betto decided to figure out the reason and discovered that there was a Monero miner in the ad code.
Anti-virus provider Trend Micro experts said that unknown miners have abused the capabilities of the Google DoubleClick advertising platform and distributed their banners in several large countries, including Japan, France, Italy and Spain.
In 9 out of 10 cases, the ad contained a script from Coinhive, configured to use 80% of the power of users’ computers. It is not known how much the attackers managed to earn, but they used several ads that were connected by a common identifier.
Troy Mursch, an independent researcher , explained that YouTube has become a target for such abuse because users have been visiting the site for a long time. Thus, attackers get the opportunity to earn more money than in other cases, when the user lands on a special page with a script for mining and immediately closes it.
In a conversation with Ars Technica, a Google representative said that the company is aware of the problem and is already actively struggling with it.
Cryptocurrency mining through advertising is a new form of abuse that violates our policies and which we are actively observing. We use a multi-level detection system that runs on all of our platforms, which reports violations. In this case, the advertisement [with the miner] was blocked in less than two hours, and the attackers were denied access to the company’s products.
The Monero miner built into the sites became known in September 2017. One of the first to add it was The Pirate Bay torrent tracker as an alternative to advertising revenue, after which the script appeared on the Showtime cable channel website. And by January 2018, a similar type of monetization reached Russia: the Coinhive code was found on the website of the electronic registry of the Sakhalin Ministry of Health.
According to the estimates of third-party developers, you can’t earn a lot on CoinHive miner only if you embed it on sites with very high traffic. This probably explains the desire of attackers to find loopholes for projects such as YouTube.