YouTube Advertising Serves Unauthorized Drive-By Mining Attacks
posted Saturday Jan 27, 2018 by Scott Ertz
Browser-based cryptocurrency mining has become a bit of a drain, both on the internet and on people's computers. Some sites have implemented the process as a supplement for lost ad revenue due to ad blockers. Others have taken it a step farther, introducing mining software into the ads that show on those websites themselves.
While this process would be expected from ads served by smaller ad exchanges, you would probably expect an ad network like Google AdSense or Google DoubleClick to have policies and procedures in place to prevent any malicious software from being served by their own ads. Unfortunately, you are giving Google more credit than is deserved, as that is exactly what happened this week.
Ads being shown on Google's own YouTube were found to be taking advantage of viewers' CPU cycles to mine cryptocurrency without the viewers' knowledge or permission. Using an ad to mine coins on a site like YouTube is clever, if not devious. Users tend to stay on the site for a longer period of time than most other sites, and even stay on a single page for an extended period, while doing little else on the computer. This means that the mining will be consistently run for a longer period of time, and will not be as detectable because users are not using their computers heavily.
As Google became aware of the issue, a spokesperson sent an email saying,
Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we've been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.
The problem with the statement is that the two hours referenced by the representative was, in reality, over a week. That is according to a report from Trend Micro, who has been studying the practice of web-based mining carefully. Trend Micro, as well as Avast and other antivirus platforms, have begun warning users when a site is running mining code in the browser, and allows users to block that code temporarily or permanently.
While these drive-by minings are becoming more common, and approaching an epidemic, there is no evidence that there is any lasting effects after the browser window is closed, or the website is left.