There has been a malicious ad campaign going around the internet, and it appears to have found its way onto YouTube. This malware delivers a script that uses the victim’s CPU to mine for cryptocurrency; increasing power usage while also providing income for the attacker.
Most of these malicious ads are based on the coinhive script; which was made publicly available and is intended to provide an alternative source of income for websites struggling to make ends meet. The currency of choice in this case is Monero, which has quickly become a focus for cybercriminals looking to cover their tracks.
In legitimate use, the coinhive script sends a 30 percent cut of the mining activity back to coinhive as a service fee. However, the YouTube attack seems to have used a modified version that prevents this fee from being implemented. Allowing the attackers to claim all of the mined coin. It was also designed to use up to 80 percent of the victim’s CPU power.
An independent security researcher says that YouTube was targeted because people are used to spending a lot of time on the site. Providing the malware with plenty of time to mine for cryptocurrency while people indulged in their preferred content.
YouTube, for its part, has said that the ads were found and removed within two hours. Although, it is difficult to tell how long they actually lasted on the site.
Not every visitor to YouTube was affected by the attack. It looks to have targeted a specific number of countries, including Japan, France, and Spain. Possibly being aimed at developed countries where people have more computing power to be stolen.