Mining malware has become a big problem: YouTube is also being used by hackers to mine Monero

summary

The use of the Coinhive web miner has surged over the past few days, linked to Google DoubleClick ads posted on YouTube and other sites.

As the prices of virtual currencies such as Bitcoin and Ethereum are rising rapidly, the number of cyber attacks surrounding virtual currencies is also increasing. Whether it is individual users, miners or exchanges, as long as they are involved in the virtual currency business, they have become targets of hacker attacks. This is already a big problem that cannot be ignored. According to BleepingComputer statistics, there are more than ten malicious viruses that spread Monero mining machines. In 2018, the situation will be even worse.

Recently, security companies have discovered several malware applications specifically designed to steal cryptocurrencies. Many websites have been compromised and scripts for mining virtual coins have been installed, and the computer resources of website visitors have been abused.

Researchers at Trend Micro have discovered a spike in the use of the Coinhive web miner over the past few days that is linked to Google DoubleClick ads posted on YouTube and other sites.

Image/ From Ars Technica

Coinhive is a set of mining service codes. When users visit a webpage containing the code, it starts to consume the user's own resources to mine Monero for the owner of the code. The author of this code once claimed that websites can use this code to make money to survive and do not need to add advertisements. However, this code was later abused by hackers and became a tool for hackers to make profits.

Trend Micro released an analysis report stating that on January 24, 2018, they observed a nearly 285% increase in the number of Coinhive miners due to malicious advertising activities. They also found that not only Coinhive was used on websites with high user traffic, but also independent web mining tools were used and connected to private mining pools. Previously, on January 18, they began to see an increase in traffic from five malicious domains, and after carefully examining the network traffic, they found that the traffic came from DoubleClick ads.

Image/ From Trendmicro

Security researchers discovered two separate mining scripts, both hosted on Amazon's cloud, which were called from web pages displaying DoubleClick ads. The ads used JavaScript code to generate random numbers between 1 and 101, and the coinhive.min.js script took up 80% of the CPU to mine. For the remaining 10%, the ads loaded a private online miner, the mqoj_1.js script.

Independent security researcher Troy Mursch told CoinDesk that the act of injecting malicious code into Youtube ads may be targeted because users usually stay on the site for a long time, which is the main target of malicious mining code because the longer users are online, the more money they can make.

Google took immediate action against ads that were abusing user resources.

Some experts suggest that blocking JavaScript-based applications from running on browsers can prevent the execution of malicious mining code. In addition, regularly patching and updating web browsers can reduce risks. Geek Park previously reported that Opera's desktop browser has provided the function of running in-browser mining programs since December last year. Many mainstream browsers can also block the running of JavaScript programs by setting and adding parameters, but this may affect the key functions of the website, which requires users to weigh on their own.

Header image source: Visual China

Editor in charge: Double-barreled shotgun