Security researchers have found that hackers are now exploiting YouTube ads to secretly hijack a viewer's computer processing power in order to mine cryptocurrency. The finding comes after many social media users complained that antivirus programs seem to be detecting cryptocurrency mining code whenever they visited YouTube.

According to cybersecurity firm Trend Micro, these ads helped drive a more than three-fold spike in Coinhive web miner detections. Researchers said the threat actors were abusing Google's DoubleClick ad platform to target viewers in France, Italy, Japan, Taiwan and Spain.

After analysing these ads, Trend Micro found that they contained JavaScript codes provided by the cryptocurrency mining service Coinhive to hijack 80% of CPU power and mine Monero coins.

Nine out of 10 times, these ads used the publicly available Coinhive JavaScript code. However, the YouTube ads also used a private mining JavaScript the remaining 10% of the time to save the hackers Coinhive's 30% commission feed.

"The affected webpage will show the legitimate advertisement while the two web miners covertly perform their task," researchers wrote in a blog post. "We speculate that the attackers' use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices."

In a statement to Ars Technica on Friday, 26 January, Google confirmed the cryptojacking threat and said the ads in this case were "blocked in less than two hours" and the "malicious actors" removed from the platform.

"Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we've been monitoring actively," a Google representative said. "We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms."

However, the timeline for their removal does not seem to add up. According to Trend Micro, the cryptojacking campaign seems to have been active since 18 January, when they observed an increase in traffic to five malicious domains. By 24 January, researchers detected a nearly 285% spike in the number of Coinhive miners.

IBTimes UK has reached out to Google for further comment and is awaiting a response.

Browser-based mining and cryptojacking attacks have risen in recent months amid the global hype surrounding digital currencies and their rising values. Experts have warned that a virtual currency "arms race" is brewing as threat actors add new cyberweapons to their arsenal to exploit the burgeoning market and take advantage of eager users.

In recent months, several popular websites were also found embedded with cryptomining code to hijack the processing power of users' computers and covertly mine cryptocurrency without users' knowledge or consent, including The Pirate Bay, Starbucks, Showtime and UFC.

In December last year, the popular Chrome extension Archive Poster was found to be running Coinhive as well.

Bitcoin
Hackers have been targeting YouTube ads to mine cryptocurrency Pixabay/Creative Commons