Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Businesses Youtube

Now Even YouTube Serves Ads With CPU-draining Cryptocurrency Miners (arstechnica.com) 187

YouTube was recently caught displaying ads that covertly leach off visitors' CPUs and electricity to generate digital currency on behalf of anonymous attackers, it was widely reported. From a report: Word of the abusive ads started no later than Tuesday, as people took to social media sites to complain their antivirus programs were detecting cryptocurrency mining code when they visited YouTube. The warnings came even when people changed the browser they were using, and the warnings seemed to be limited to times when users were on YouTube. On Friday, researchers with antivirus provider Trend Micro said the ads helped drive a more than three-fold spike in Web miner detections. They said the attackers behind the ads were abusing Google's DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain. The ads contain JavaScript that mines the digital coin known as Monero.
This discussion has been archived. No new comments can be posted.

Now Even YouTube Serves Ads With CPU-draining Cryptocurrency Miners

Comments Filter:
  • by Anonymous Coward

    Because itâ(TM)s getting out of hand and they will fix everything.

  • Ad Blockers (Score:5, Insightful)

    by sconeu ( 64226 ) on Friday January 26, 2018 @03:06PM (#56010041) Homepage Journal

    This is why I run an adblocker and a script blocker.

    And why I refuse to visit sites that insist I turn it off.

    Speaking of which, anyone know any WebExtensions that do anti-anti-adblock? The old one was XUL.

    • Re: (Score:3, Interesting)

      by jrmymllr ( 4703481 )
      It's getting harder to leave my adblocker universally enabled. I can't boycott every site that requires I disable it.
      • by Anonymous Coward

        I sure as hell can.

        Usually through a liberal application of NoScript, RequestPolicy, and, if absolutely necessary, raw HTTP requests to their API layer (because fuck you AND the horse you rode in on, you dumbshit "UX" assholes).

    • Re:Ad Blockers (Score:4, Informative)

      by brewthatistrue ( 658967 ) on Friday January 26, 2018 @04:14PM (#56010799)

      An arstechnica commenter mentioned NoCoin which is a standalone extension.
      https://arstechnica.com/inform... [arstechnica.com]

      https://github.com/keraf/NoCoi... [github.com]

      You can also take the URL they curate and then import it into your adblocker of choice.

      https://raw.githubusercontent.... [githubusercontent.com]

    • by ncc74656 ( 45571 ) *

      A fair bit of my YouTube watching is through Kodi's YouTube plugin. It doesn't bother to show ads. I tried switching one of my TVs from a Raspberry Pi with LibreELEC (a Kodi distribution) to a Roku stick, but no matter what kind of adblocking I tried implementing on my network, the Roku would still run ads. The Roku is pretty much just for Amazon Prime Video now

      On the desktop, I had run across HookTube [hooktube.com] a while back. I already have uBlock installed, but with a URL-rewriting plugin (just ran across Reques [google.com]

  • Can the workloads really be broken down into such small chunks that running during a 15-30 second ad gets any useful work done? It seems coordinating breaking up and putting back together such small work parts would be more computational power than its worth.

    • by bohmt ( 900463 )
      The work is small. Just with a really low probability of success. This is why "mining" is usually done on GPUs, more tries more winnings.
    • by Anonymous Coward

      It's the age of browser tabs. People open a tab with youtube and it stays open, often for hours.

    • by Anonymous Coward

      Does it really matter? They're still collecting:

      1 - A theoretical dollar for the video view
      2 - The ad revenue, and they get to top it off with 3:
      3 - Tiny fractions of a monero-cent

      Adding #3 is free for them. Why not include it?

    • by war4peace ( 1628283 ) on Friday January 26, 2018 @03:30PM (#56010331)

      Consider an algorithm such as Yescrypt (http://password-hashing.net/wiki/doku.php/yescrypt) which is a valid CPU cryptomining algorithm. My CPU (Broadwell i7 6800K) finds a share every 5 seconds with 11 threads running. I extrapolate a quad core CPU would find a share every 15-20 seconds. Those shares add up if the receiving wallet and mining pool are the same. This means wallet "iourthoesruithjvansoivrzupaweo" could have a swarm 10K workers mining for 30 seconds each on the same pool, and find 10K shares every 30 seconds.

      Let's see what this adds up to in terms of cash.

      My CPU (taken as reference) makes about 1.5 dollars a day. A Quad-core CPU (average desktop PC CPU) would make about 0.5 dollars a day through cryptomining. Multiply that by 10K miners (dynamic swarm), it adds up to 5K dollars a day. It's a hefty sum, assuming the website really has 10K active visitors at all times.

      1K active sessions would yield 500 bucks a day, 100 active sessions would net 50 bucks a day. Even 10 active sessions would be 5 dollars a day, every day. Not bad, I'd say.

    • by pezpunk ( 205653 )

      you can definitely break the workload into small chunks that only take a few seconds.

      multiply all those small hashrates by tens of thousands of pageviews, and you start pulling in quite a respectable ROI. The hard part is finding a Monero pool that doesn't ban you for making tens of thousands of tiny connections.

    • by Greyfox ( 87712 )
      Does the Javascript have to stop running when the ad completes? If it could stay up for the entire time you watch a video, that could make a mint.
  • Quick! Everyone stop using Youtube so we can swing the apocalypse back into the hands of the creators.
  • by Anonymous Coward

    One that comes to the top of my mind is Mineblock.
    It specifically blocks cryptominers of all kinds, even ones that the usual script blockers and other antimalware stuff miss.
    It's not the only one, and I'm sure that eventually the others will catch up to these types of extensions, but it's still relatively early days for this kind of infestation.

    Keep up to date on whatever you use, and those leeches won't find you an easy meal.

    • Uh, it is called "adblock" or "ublock origin". Why wouldn't you block the ads itself?
      • by JaredOfEuropa ( 526365 ) on Friday January 26, 2018 @04:08PM (#56010731) Journal
        Some people might want to allow regular ads to help pay for sites they visit, but specifically block mining ads to prevent them from draining the laptop battery.

        I allowed ads for a long time for that reason, but now most of them are blocked because I got sick of the bouncing crap, auto-playing videos and ads with mouse-over actions. As far as I'm concerned, advertisers crapped the bed they sleep in.
        • by Anonymous Coward

          That's perfectly retarded. Ads are malware vectors. Anyone mining coin on your rig without your explicit permission is a potential thief already, but you think their other ads are all going to be above-board? Retarded.

      • Anti-adblock detects failure to load ads and removes the article's text from the DOM until the user disables protection. Running a blocker for a specific behavior gives you a bit of plausible deniability and room to complain to the site's support department about misdetecting an ad blocker.

        • Flashblock: "I don't want to open my PC to attacks through Adobe's proprietary code. I'd look at your ads if they weren't Flash."
        • Ghostery, Disconnect, Firefox tracking protection: "I don't appreciate third parties stalking me around the web. I'd look at your ads if they were first-party."
        • NoScript: "I'd look at your ads if they were static, like those on Daring Fireball and Read the Docs."
  • This is why I absolutely refuse to to surf without adblockers in place.
    The whole online ads thing has been a shit-show since the word "go".
    And they piss and moan about it, while taking ever greater liberties with computing resources THEY DO NOT OWN.
    You can't even trust GOOGLE for chrissakes! And they're a browser vendor? How VERY convenient!

    You wanna block me from viewing your content because I don't let you infect, destabilize, and take over my system?
    Fine, I don't need to see your shit content that bad.

  • I repeatedly surprised (and appalled) when I visit a favorite site on a machine other than my own (the horror!!)

  • I know dedicated mining operations are way more efficient, but botnets can get pretty large.

    Are there any estimates on just what proportion of crypto-currencies are mined through illegitimate means?

  • by Anonymous Coward

    Why are ads even allowed to run javascript? It's one thing for double-click itself to be implemented in javascript, but why on earth do doubleclick/youtube allow the ads to include javascript? Shouldn't they just be an image or gif or video?

    • by Anonymous Coward

      Seriously, if someone knows why ads can have javascript in them, I am legitimately curious what the reason is, not just a rhetorical question.

  • by Anonymous Coward

    I put up with adverts in newspapers and magazines because I understand they subsidise their production costs, but they don't track me and do shit behind my back.
    Same for TV
    Same for radio

    Yet more and more websites display 'please disable your adblocker'.

    NO. It's precisely because of shit like this that I run one and I have no intention of disabling it.
    You want to display adverts on your site to bring in revenue, fine I get that. But do it the old way, with simple graphics that don't run unvetted shit on you

  • by rjmx ( 233228 ) on Friday January 26, 2018 @05:14PM (#56011327)

    Putting JavaScript in ads causes too many problems, from drive-by malware to this (and many other things too). And it leads to annoying ads, like those pop-ups that never leave your field of view.

    Yes, yes, I know it's because advertisers want to draw attention to their product. However, I suspect that many people would object less to ads if they weren't so annoying: compare to advertisements in (print) newspapers, who seem to have got along just fine without ads in -- what? -- several centuries so far?

    If we banned JavaScript in ads, malware authors would have a lot more difficult task pushing their crap.

    (Have to admit: only half-serious here, but still ...)

  • Defeat ads via DNS before involving your browser: https://pi-hole.net/ [pi-hole.net] I've been using it for a few months now. Knowing my TVs are no longer sending logs to Samsung is very gratifying. I discovered a forgotten Jenkins install that was hitting Github every 5 minutes.. oops :( I've only had to white-list two URLs for my kid so far.
  • https is such a falsehood. Sure the connection between you and one site may be secure, and you may actually trust it. But what about all those third party trackers and ad servers that load into the same page? Yes I am oversimplifying and https is about the connection and not the server's security - but as soon as a third party content is loaded shouldn't the underlying https connection become tainted in a way that it has something like one of those big red Xs on it for https+non-https mixed content? Maybe a middle finger emoji to the end user.

    I wish for a day whereby disabling loading of third party content is enabled by default - and websites still work.

    If you don't use an ad blocker by now, or even better something like umatrix extension - please add one to your favorite browser. (umatrix is from same guy as ublock origin, and sure it has a learning curve but we are supposed to be nerds reading this, and be amazed at all the third party junk on your favorite websites).

    • by jecowa ( 1152159 )
      I'd like JavaScript to start heading the way of Flash and eventually be disabled by default in web browsers. We'd probably need something to replace it first, though â" something that doesn't have quite the power that JavaScript has. My old laptop runs a lot cooler after installing NoScript and only enabling scripts for domains as-needed.
  • by MobyDisk ( 75490 ) on Friday January 26, 2018 @06:51PM (#56012075) Homepage

    I understand why an ad network like Yahoo or Doubleclick might use javascripts. But why would the individual advertiser need a custom javascript? Just provide a PNG or JPG or MP4 and be done with it. The idea that the ad networks permit arbitrary code in the ad is utterly ridiculous.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      (Posting as AC for reasons...)

      The short answer is analytics. We need the JS in order to keep track of things such as how long you looked at the ad, whether you moused over it (or even moused close to it), etc. Measuring user interaction with an ad is critical to determining if an ad is effect. Or for that matter determining if a site is scamming us.

      We also use JS to do deeper browser fingerprinting, to try to better identify a viewer for demographics purposes (did this go to a 28yo black female, a 50yo whit

      • by MobyDisk ( 75490 )

        That was informative but didn't really answer the crux of my question, and perhaps it is my way of asking it that is the problem. If I elaborate can you answer in more depth? Something is fundamentally wrong here:

        Who in the chain is writing and delivering the JavaScript? Suppose I go to goodsite.com, and I see an ad delivered by Google's ad delivery division, for Joe's Lemonade? If goodsite.com wrote the script, that seems okay. If Google wrote the Javascript, that's fine too because I assume goodsite.

  • by Anonymous Coward

    1 why should there be content from domains not in the adress bar? (you dont expect there to be pepsi inside a can of coca cola!)
    2 site designers need to keep content on their own site! (if you dont own the content, link to it, dont steal it)
    3 100+ connections to load a single site is unacceptable! (and not cool to other users on public wifi)
    4 ssl/tls is worthless with crossdomain content! (and please support ipsec/dane certificates to stop the certificate marfia)
    5 all audio/videos should be click to play! (

I bet the human brain is a kludge. -- Marvin Minsky

Working...