Stop dilly-dallying. Block all ads on YouTube

Cryptominers hijack Google's DoubleClick ad system.

Youtube malicious ad

As Ars Technica reports, YouTube has been spotted pushing ads onto users.

That, in itself, isn’t newsworthy of course. But these ads are surreptitiously stealing resources from visiting computers to mine for cryptocurrencies:

On Friday, researchers with antivirus provider Trend Micro said the ads helped drive a more than three-fold spike in Web miner detections. They said the attackers behind the ads were abusing Google’s DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain.

The ads contain JavaScript that mines the digital coin known as Monero. In nine out of 10 cases, the ads will use publicly available JavaScript provided by Coinhive, a cryptocurrency-mining service that’s controversial because it allows subscribers to profit by surreptitiously using other people’s computers. The remaining 10 percent of the time, the YouTube ads use private mining JavaScript that saves the attackers the 30 percent cut Coinhive takes. Both scripts are programmed to consume 80 percent of a visitor’s CPU, leaving just barely enough resources for it to function.

You should run an ad blocker when you surf the web.

Not just because ads are invariably ugly and ruin the user experience. Not just because you don’t want ads tracking your online behaviour. Not just because ads slow down your online experience and gobble up your bandwidth. Not just because ads can infect your computer with malware, or be secretly sapping your computer resources by mining for cryptocurrencies in the background.

But because even Google, one of the world’s largest advertising companies (with its own considerable security prowess), seems to be incapable of guaranteeing a stream of safe ads. What hope for the other advertising networks if Google can’t get it right?

In a statement, Google said it took action against the offending ads when it became aware of them:

Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”

To which I say, too little too late. Why does Google DoubleClick allow ads to contain JavaScript in the first place?

It’s a shame, of course, for those websites which depend on advertising as a revenue stream. But we have to face facts. Ads can’t be trusted. Run an ad blocker.

Further reading:

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:

, , ,

10 Responses

  1. Dave

    January 30, 2018 at 2:13 pm #

    do you have a recommend ad blocker? Can I trust the ad blocker? Why?

    • tito salah in reply to Dave.

      January 30, 2018 at 4:43 pm #

      use
      Nano Adblocker + Nano Defender + Pop up blocker for Chrome
      and say good buy to ADS

    • Troy Mursch in reply to Dave.

      January 30, 2018 at 8:08 pm #

      I recommend using a dedicated extension to block cryptojacking, such as minerBlock.

      Chrome
      https://chrome.google.com/webstore/detail/minerblock/emikbbbebcdfohonlaifafnoanocnebl?hl=en

      Firefox
      https://addons.mozilla.org/en-US/firefox/addon/minerblock-origin/

      You can trust it because I’ve covered this topic extensively for the last four months and personally shared my feedback with the developer of minerBlock. However, it’s wise to be wary as some browser extensions you’d think are helpful are actually malicious, as we’ve seen in a few recent examples.

  2. Ben

    January 30, 2018 at 10:18 pm #

    Word for word, it is exactly what I’m thinking, what I recommand around me, and what I’m doing for years now, I just don’t like ads since it became a serious invasive issue,and moreover, when it became security issue.

    To share my “experience”. most of the time ads ruined my “experience”, and I can’t say how much I hate this word, since overused by GAFA’s. No, they won’t “enhance my experience”, they can’t do that because for years they managed to ruin it, that’s why I use an adblocker, Ublock Origin to name it.. and oh boy! what a difference! thanks to Gorhill, this tool does what it is supposed to do.. to block ads and scripts, and btw it even prevents my browser from loading tons of useless stuff, making loading pages faster, and as UBO is very customizable, it is all I needed.

    Of course, even if I tent to disable it for some websites I know and trust, now I’m a bit concerned .. as Graham wrote in the article, if it happened to Google, what about websites I “trust”? should I?..probbaly not anymore I guess? unfortunately as I don’t have any way to know, I feel forced to enable my AB by default no matter which website I visit.. if a content is not available because of that, no problem, I’ll find another way.

    “Run an ad blocker” is the best advice so far..

  3. Jack T.

    January 31, 2018 at 12:08 am #

    Javascript should only be allowed to run from the domain in the address bar. Period. No third party javascript allowed. The browser makers can make it so and advertisers will have to go back to images only without privacy and security invading tracking.

    Perhaps web sites will have to figure out how to host the ads on their own site and accept full responsibility for problems. Since it would affect their reputation, they would be careful. The advertisers will have to learn to accept the hit counts from the sites.

    • APPL5h1T in reply to Jack T..

      February 1, 2018 at 5:30 pm #

      Whilst I agree with what you are saying in principle it is not that simple in practice, unfortunately.

      Just have a look at how many third party resources are being loaded by your average website - most of which running JavaScript of course.

      The vast majority of websites relies on google API’s, fonts, etc which are all problematic with regards to privacy. On top of that imagine what happens if one of the popular CDN’s gets hacked and starts dishing out malware (Amazonaws, Akamai, Cloudfront, etc…)

  4. drsolly

    January 31, 2018 at 12:13 am #

    I run an ad blocker

  5. John Lewis

    February 1, 2018 at 4:14 pm #

    The fact is that Google could stop this, they have the technology but they (and Facebook) have no incentive to do so - see - https://wp.me/p7MvnT-cO

  6. Xane M.

    February 1, 2018 at 4:27 pm #

    I’ve used an ad blocker on YouTube for a long time and try to never watch videos on mobile as there I’m unsure of if an ad blocker would work. I may feel bad that the content creators aren’t getting their money but I’ve heard of how iffy the ads are and the latest place where mining happens being in these ads…no, I only will mine Monero for myself.

  7. Alfonso

    February 12, 2018 at 8:34 pm #

    Great work»»»as always Graham. Regards.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.