Security researchers have revealed how hackers are now bombarding YouTube videos with fake antivirus ads and running crypto jacking codes without alerting users.
Malvertisers are running fake antivirus adverts on YouTube videos by abusing Google's Double Click ad platform and tricking users into downloading malware.
Security researchers at both Trend Micro and Adguard have unearthed a sophisticated malvertising operation that helped people run cryptomining software on systems without alerting users. Ideally, such cryptomining consumes CPU power in user systems, and thus creators are required to inform users about such operations. However, those behind the malvertising campaign did no such thing.
According to security firm Adguard, the campaign was exposed after YouTube users complained about their antivirus alerting about mining attempts while they were watching videos on YouTube. Following deep analysis, researchers concluded that malicious actors abused Google's Double Click ad platform to run fake antivirus ads on YouTube videos, thereby provoking people to download malware.
'We discovered that advertisements found on high-traffic sites not only used Coinhive, but also a separate web miner that connects to a private pool. Attackers abused Google’s DoubleClick, which develops and provides Internet ad serving services, for traffic distribution. Data from the Trend Micro™ Smart Protection Network™ shows affected countries include Japan, France, Taiwan, Italy, and Spain,' noted researchers Chaoying Liu and Joseph C. Chen at Trend Micro.
The malvertising campaign was launched on such a large scale that the researchers observed a 285% increase in the number of Coinhive miners on January 24.
'The affected webpage will show the legitimate advertisement while the two web miners covertly perform their task. We speculate that the attackers’ use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices,' they added.
Speaking with Gizmodo, YouTube acknowledged the operation and termed it 'a relatively new form of abuse'. However, it also claimed that the malicious adverts were blocked in less than two hours, thanks to a multi-layered detection system set up by the company.
'Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms,' said YouTube.
However, further research by Gizmodo revealed that malicious ads were removed within two hours separately and not en masse, thereby suggesting that YouTube users will continue to be bombarded by such ads until all of them are quarantined.