Mining Malware Abuses Google Ads and YouTube


Internet monopolies are easy to manipulate it seems. Especially if they are ad revenue driven and don’t really care who or what is advertised. Both Google and Facebook have been a hotbed for scams, phishing websites and malware recently, especially those involving crypto mining.

Cyber security researchers Trend Micro have discovered a surge in Coinhive web miner detections due to a malvertising campaign abusing Google’s advertising platform. According to the report they team discovered that advertisements found on high-traffic sites not only used Coinhive, a popular open source crypto mining script, but also a separate web miner that connects to a private pool.

Ads abused

Google’s DoubleClick advertising platform had been compromised. Malicious ads were served in Japan, France, Taiwan, Italy, and Spain according to the research. As of January 24 the cyber security specialists recorded a 285% surge in Coinhive miners originating from DoubleClick advertisements. The malvertising websites contained two different mining scripts which work in the background, leeching off users’ computer hardware to mine for crypto currency. The target coin is usually Monero as it is anonymous and cannot be tracked back in the blockchain.

According to a Trend Micro blog post;

“The advertisement has a JavaScript code that generates a random number between variables 1 and 101. When it generates a variable above 10, it will call out coinhive.min.js to mine 80% of the CPU power, which is what happens nine out of ten times. For the other 10%, a private web miner will be launched. The two web miners were configured with throttle 0.2, which means the miners will use 80% of the CPU’s resources for mining.”

Other reports indicate that YouTube has also been affected as it runs the same Google ad code. Secutiry researchers commented;

“YouTube was likely targeted because users are typically on the site for an extended period of time. This is a prime target for cryptojacking malware, because the longer the users are mining for cryptocurrency the more money is made.”


One way to prevent such incursions is to block Javascript from running in the web browser however this may render some legitimate websites unusable. Keeping browsers patched with their latest updates also helps to prevent rogue code however hackers are continually evolving their methods of attack.

As cryptocurrencies become more prevalent the level of sophistication for mining malware will increase. Exchange hacks and coin theft is also becoming more prevalent. Ad driven companies such as Google and Facebook rarely vet their paying advertisers and will only do so after something such as this has happened.


SanFair Newsletter

The latest on what’s moving world – delivered straight to your inbox