Skip Navigation

Critical Infrastructure News

Hackers running malvertising campaign on YouTube to mine cryptocurrency

Security researchers have revealed how hackers are now bombarding YouTube videos with fake antivirus ads and running crypto jacking codes without alerting users.

Malvertisers are running fake antivirus adverts on YouTube videos by abusing Google's Double Click ad platform and tricking users into downloading malware.

Security researchers at both Trend Micro and Adguard have unearthed a sophisticated malvertising operation that helped people run cryptomining software on systems without alerting users. Ideally, such cryptomining consumes CPU power in user systems, and thus creators are required to inform users about such operations. However, those behind the malvertising campaign did no such thing.

According to security firm Adguard, the campaign was exposed after YouTube users complained about their antivirus alerting about mining attempts while they were watching videos on YouTube. Following deep analysis, researchers concluded that malicious actors abused Google's Double Click ad platform to run fake antivirus ads on YouTube videos, thereby provoking people to download malware.

'We discovered that advertisements found on high-traffic sites not only used Coinhive, but also a separate web miner that connects to a private pool. Attackers abused Google’s DoubleClick, which develops and provides Internet ad serving services, for traffic distribution. Data from the Trend Micro™ Smart Protection Network™ shows affected countries include Japan, France, Taiwan, Italy, and Spain,' noted researchers Chaoying Liu and Joseph C. Chen at Trend Micro.

The malvertising campaign was launched on such a large scale that the researchers observed a 285% increase in the number of Coinhive miners on January 24.

'The affected webpage will show the legitimate advertisement while the two web miners covertly perform their task. We speculate that the attackers’ use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices,' they added.

Speaking with Gizmodo, YouTube acknowledged the operation and termed it 'a relatively new form of abuse'. However, it also claimed that the malicious adverts were blocked in less than two hours, thanks to a multi-layered detection system set up by the company.

'Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms,' said YouTube.

Hacker_laptop

Delaware hacker indicted in multimillion-dollar fraud scheme

His notoriety began seven years ago when he was arrested at a video game convention in Boston and accused of pirating $6 million in game code that was derived from a system used to train CIA agents for combat. May agreed to a Boston judge’s offer for pretrial probation in exchange for a dismissal of his case.

Last year evidence emerged that he was back on federal authorities' radar when police seized a $60,000 BMW Coupe and about $40,000 from his Brandywine Hundred residence. The FBI at the time declined to say why the assets had been seized.

The recent indictment against May states that the car was purchased through ill-gotten gains from the alleged fraud scheme.

That scheme began in April 2016 when May and other unnamed "co-schemers" obtained legitimate serial numbers to expensive Cisco computer hardware that they did not own, prosecutors say. The indictment does not state how they obtained those serial numbers. 

The group set up false online aliases to make it appear they worked for a legitimate company. They then submitted warranty claims for the equipment associated with the ill-gotten serial numbers, the indictment states. 

Their goal was to pose as legitimate owners of the computer components and present problems to Cisco engineers that they knew would require the company to replace the hardware through a warranty program. 

Through such misrepresentations, May and his conspirators were able to convince Cisco to ship approximately 169 pieces of computer hardware to replace technology they never owned. In all, May received some 155 pieces of computer hardware — valued at $2.3 million.  

He and his conspirators had submitted requests to replace some 266 pieces of equipment from Cisco, tot. It is unclear how the group's scheme was discovered. The indictment states that they agreed to return the equipment they had reported as broken, but never did.