back to article Crypto-jackers slip Coinhive mining code into YouTube site ads

The hijacking of CPU cycles through crypto-mining JavaScript code has surged over the past few days, according to security biz Trend Micro. The reason appears to be a distribution campaign that piggybacks on Google's DoubleClick ads that appear on YouTube among other sites. "We detected an almost 285 per cent increase in the …

  1. Anonymous Coward
    Anonymous Coward

    Why does El Reg keep using Scripts from 'googleapis'

    As a champion challenging tech Giants on everything from Slurp abuses to lack of Play-Store Malware checks, its puzzling... Reg-https took ages too!

    1. Anonymous Coward
      Anonymous Coward

      Re: Why does El Reg keep using Scripts from 'googleapis'

      The are doing that only for their font. A large percentage of visitors will have that font (served by that url) stored in their local cache, thus speeding up the initial site load. Nothing wrong with that.

      However, El Reg also links to a googletagservices script, which is specifically mentioned in the article as being a vector for this crypto-mining thing.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why does El Reg keep using Scripts from 'googleapis'

        Also doubleclick.net, though only on certain pages and not googleads.doubleclick.net, so it's hard to say if it would be affected.

        https://imgur.com/a/fhfBB

      2. Anonymous Coward
        Anonymous Coward

        Re: Why does El Reg keep using Scripts from 'googleapis'

        "A large percentage of visitors will have that font (served by that url) stored in their local cache, thus speeding up the initial site load. Nothing wrong with that."

        Or they could just use one of the standard web fonts.

    2. Anonymous Coward
      Anonymous Coward

      We need NoScript for Firefox 57, and WebAssembly's bytecode is more insecure than Flash

      > Trend Micro suggests disabling JavaScript in browsers

      I would like to Whitelist Sites, and disallow Javascript by default.

      Sadly NoScript isn't supported by Firefox 57 :(

      And the UI of uMatrix is beyond confusing, what a mess. Well uBlock Origin has a bad UI too, but at least I rarely need to interact with it, it works fine most of the time. But uMatrix needs serious work on the UI side. NoScript is so much better and worked superb (previously).

      And what about WebAssembly!? Can we get the browser creators to disable WebAssembly? It's a hot mess of untrusted bytecode, on-par with Java applet and worse than Flash applet in terms of a security loophole. Since Meltdown, Spectre WebAssembly should be marked as dead-end and disabled by default. And WebAssembly basically makes it possible to simply compile their CryptoMiner to the web. What makes it worse that Chrome 63 doesn't allow you to disable WebAssembly anymore, a big step backwards Google!

      1. David Hicklin

        Re: We need NoScript for Firefox 57, and WebAssembly's bytecode is more insecure than Flash

        "Sadly NoScript isn't supported by Firefox 57 :("

        I'm on FF 58 and NoScript is working now, just not as polished as before, even remembered my settings going from 56 -> 58

      2. eldakka Silver badge

        Re: We need NoScript for Firefox 57, and WebAssembly's bytecode is more insecure than Flash

        > UI of uMatrix is beyond confusing

        Confusing?

        It's a dropdown list that lists the sites (and the specific activity - cookies, XSS, frames, etc) that are trying to load. You just toggle to green (allowed) if you want to enable the scripts and other resources from that site (and hit the padlock if you want to save that permanently).

        That's pretty much all there is to it unless you start delving into advanced usage like, e.g. allowing a site only allows specific subsets, e.g. no frames even if site allowed unless you also toggle the frame for that site to green (allowed).

        I used NoScript for years, then moved onto Policeman then, on Vivaldi (which is a chromium-based browser), I went to uMatrix, after which I moved to that instead of NoScript on FF prior to 57.

  2. Anonymous Coward
    Anonymous Coward

    And once again: adblockers

    And if those people had used adblockers then I doubt anything would have happened.

    I've mentioned this recently, I'll do it again: adblockers should be placed at the same level as anti virus software. You may trust a website (or its owner), but you cannot know up front where the ads are coming from, as well as any associated extra garbage such as these mining scripts.

    1. Garymrrsn

      Re: And once again: adblockers

      Lack of security has the potential to burst the advertising industries internet bubble. If security concerns drive people to avoid web sites that depend on ads for their revenue those sites will start looking for a safer revenue stream.

    2. Wensleydale Cheese

      Re: And once again: adblockers

      "And if those people had used adblockers then I doubt anything would have happened."

      NoScript reported blocking a couple of attempts at cross scripting when I was poking around YouTune last night.

      1. Anonymous Coward
        Anonymous Coward

        Re: And once again: adblockers

        I'm getting those too. NoScript is just reporting a vulnerability for a possible x-script attack. I doubt that all of them are actual attacks...

        ...probably...

    3. Prst. V.Jeltz Silver badge

      Re: And once again: adblockers

      "And if those people had used adblockers then I doubt anything would have happened."

      Yeah, no ad revenue would have happened . The internet would stopped turning.

      on the other hand, Like ShelLuser said , ad sites should be treated as hostile.

      How about you whitelist every site you go to , as go (scriptwise) , leaving the adsites restricted?

      I guess there is a place for adblockers , once were the cowboys of the digital wild west letting people trample roughshod over the economic principles of the net , threatening the very freedom of free stuff etc . I see them becoming the policemen - keeping ads under control by resticting them to a jpg , or bit of html maybe.

      I think adblock already comes with "Let the nicely behaved ads through" by default now.

  3. adnim

    Google says it took action against the ads once it became aware of them

    Same here. I blocked doubleclick.net at my router before Google bought them.

  4. Paratrooping Parrot
    Mushroom

    JavaScript for Ads?

    Why do adverts need JavaScript? Why can't they just be static images like in the early days of the Internet? People are using Ad blockers because the adverts take up huge amounts of bandwidth and slow the computer down. Flash based ads are the worst. Those who use Pay as you go mobiles have to pay for every megabyte of data. So of course we are annoyed to be paying for the adverts that we don't want. Imagine those in other countries who are being bombarded with those adverts as well and have a hard limit on the bandwidth they can use.

    So for those who insist on us to stop using Ad block technology, we are doing it to protect our computers. If you stick to static visible images with a link that does not follow you as you scroll down, then we will consider disabling ad block technology. Until then, we won't stop.

    1. Warm Braw Silver badge

      Re: JavaScript for Ads?

      But if you stick to static visible images, how are you going to make your paid-for advertisement stand out over the paid-for content? And in the case of YouTube rather a lot of it seems to consist of "influencers" persuading their gormless peers to buy products they themselves were given free. I don't think you can expect any form of voluntary commercial moral restraint to survive in that environment.

      It's a pity that HTML doesn't have a single-origin model where all content on a page has to come from the same source - it wouldn't eliminate abuse, but it would at least make the content-providers responsible for the advertising that appears on their sites and the costs of serving them.

      1. d3vy Silver badge

        Re: JavaScript for Ads?

        "It's a pity that HTML doesn't have a single-origin model where all content on a page has to come from the same source - it wouldn't eliminate abuse, but it would at least make the content-providers responsible for the advertising that appears on their sites and the costs of serving them"

        Ahh, but then you have the issue that you end up downloading the same jQuery/Angular/Whatever todays framework is javascript file for every site you visit rather than downloading it once from a CDN..

        1. Warm Braw Silver badge

          Re: JavaScript for Ads?

          you end up downloading the same jQuery/Angular/Whatever todays framework is javascript file for every site you visit rather than downloading it once from a CDN

          Good. I can then hold the publisher of the site responsible for any nasties in their code and not have to rely on the probity and security of some entirely unconnected third party.

          But that would slow things down, you cry? Well, perhaps that might persuade the site authors only to include the code they actually need and can test and verify.

          And of course if all responses had to go to the single origin too, then the publisher would be responsible for all the data they hand over to dubious analytics and tracking organisations, which might make them think twice. Sounds like a win all round.

        2. HieronymusBloggs

          Re: JavaScript for Ads?

          "then you have the issue that you end up downloading the same jQuery/Angular/Whatever todays framework is javascript file for every site you visit"

          You almost make it sound like that stuff is necessary.

      2. John Brown (no body) Silver badge

        Re: JavaScript for Ads?

        "It's a pity that HTML doesn't have a single-origin model where all content on a page has to come from the same source"

        The worst offenders are the so-called media site, newspapers, TV channels and the like. Scripts, advertisers, trackers, CDNs, sometimes as many as 30-40 different ones on a single page, all having to be connected to and some small bit of data downloaded, making page loads so slow it's ridiculous. And I'm on a 100Mb/s cable package. I remember when I first got broadband. 512Kb/s and it was stonkingly fast at opening web pages.

  5. mark l 2 Silver badge

    I am sure Coinhive could do more to stop people misusing its service. They could put a 30 day hold on payouts so that if any abuse reports come in the account payout is put on hold. They could also block the use of the old version of the script that doesn't let the end user switch off the script.

    1. Claptrap314 Silver badge

      The miners are probably using coinhive code with the coinhive url replaced with something else. Trivial change.

  6. heyrick Silver badge

    abuse that violates our policies

    The problem here is that the advertisers, yet again, are using a platform that we are expected to "trust" to run random unvetted third party scripting in the course of supplying the advert. This is one of the many reasons why script blocking and advert blocking is the only safe option for modern browsing...

  7. Maelstorm

    Would you like a cryptominer with that video?

    Nothing surprises me anymore. However, the question that we should all be asking is why are ads allowed to use JavaScript in the first place?

    1. Prst. V.Jeltz Silver badge

      Re: Would you like a cryptominer with that video?

      why are ads allowed to use JavaScript in the first place?

      I guess because an ad is just a mini webpage stuck into the page you are reading , and therefore is entitled to all the tricks and scripts and frameworks that a webpage is.

      If you could think of a way to restrict ads to jpegs only , then the advertisers would just disguise their ads as pages ...

  8. Garymrrsn

    If I may extrapolate...

    How long will it be before advertising invades your autonomous car?

    They can route you past a shopping venue and announce "There's a sale! Lets stop and check it out!"

    1. Anonymous Coward
      Anonymous Coward

      Re: If I may extrapolate...

      Or hospitals. You're in for major surgery and halfway through the initial incision a popup flashes on the heart-rate monitor:

      "Wusthof Kitchen Knives Set Now On Sale At JCPenny!"

    2. Michael Thibault

      Re: If I may extrapolate...

      Some would appreciate in-context audio notisications; they don't distract you from your world beyond the glass.

  9. Dwarf Silver badge

    And they wonder why we hate adverts...

    1. Charles 9 Silver badge

      Yet we don't hate them enough to eschew ad-suppoorted media in favor of ones where you pay actual coin.

      1. heyrick Silver badge

        in favor of ones where you pay actual coin

        Really? Nobody buys DVDs and such anymore?

        Maybe the problem here is that dropping in some adverts is "easy" but creating content that a sufficient number of people will actually pay for is quite a bit harder?

        1. phuzz Silver badge

          Re: in favor of ones where you pay actual coin

          "Nobody buys DVDs and such anymore?"

          Disc sales dipped below streaming last year, so broadly, no.

          1. Charles 9 Silver badge

            Re: in favor of ones where you pay actual coin

            Plus there are alternatives available now (some legal, like libraries).

  10. tkioz

    Typical

    And here is the reason I never whitelist or disable my adblocker and why I install it on every computer I work on. Advertisers have spent the last twenty years proving they can not be trusted and this is just one more nail in the coffin.

    The only adverts that I'll tolerate are pure text or pure image with zero script behind them, until ad companies start using that, I'll keep blocking.

    1. Anonymous Coward
      Anonymous Coward

      Re: Typical

      Advertisers have spent the last century and more proving they cannot be trusted, not just the last 20.

  11. petef

    The Opera browser added a blocker for mining a few weeks ago. That is in addition to the built-in ad blocking.

  12. Digitall

    Online checker

    https://cryptojackingtest.com/

    to check your current browser..may not work with all browsers.

  13. Elledan
    Flame

    Static HTML is the best

    For years now I have gotten used to browsing with ads and JavaScript disabled, only (temporarily) whitelisting a URL when I absolutely need to use a feature on that site. Lots of websites do however simply not work without JS enabled, often displaying just a blank page or something equally useless.

    With Meltdown and Spectre we saw JavaScript-based PoCs which can (potentially) steal private data, including passwords and the like. JS is also a common infection vector for malware, which most recently saw this crypto-coin mining thing become popular.

    The last time that I felt that I could browse safely around without having to install a lot of filters to remove all the (dangerous) crud from today's WWW was probably somewhere in the late 90s.

    Did the advertising thing just go totally overboard? Is it time to treat JavaScript-based sites with the same disdain as we did with Flash?

    1. Charles 9 Silver badge

      Re: Static HTML is the best

      Given there's still ways to track you solely based on stuff the Internet needs to function, perhaps it's time to give up the Internet and go back to the Sears catalog...

    2. Anonymous Coward
      Anonymous Coward

      Re: Static HTML is the best

      Yes, I too have active content turned off by default and have noticed the increasingly agressive posture on "you want to see our content then you must take anything our advertises want to throw at you".

      Until everyone boycotts those sites that demand you accept what you clearly did not want then I only see things getting worse.

      Those sites that consistently serve content I do want to see would be better setting up subscription based ad opt out via some other country ( the demands for The Private Eyes subscriber list are evidence that websites need to think ahead of they want to capture the anonymous viewer).

    3. Anonymous Coward
      Anonymous Coward

      Re: Static HTML is the best

      Yes, I too have active content turned off by default and have noticed the increasingly agressive posture on "you want to see our content then you must take anything our advertises want to throw at you".

      Until everyone boycotts those sites that demand you accept what you clearly did not want then I only see things getting worse.

      Those sites that consistently serve content I do want to see would be better setting up subscription based ad opt out via some other country ( the demands for The Private Eye's subscriber list are evidence that websites need to think ahead of they want to capture the anonymous viewer)

  14. lglethal Silver badge
    WTF?

    What?

    "The problem Google faces is that those abusing its systems rely on cloaking techniques to conceal the nature of the code and fake accounts that can be abandoned without consequence. As with email spammers, it's a game of Whac-A-Mole."

    OK Im not particularly familiar with how the Google advertising system works, but i know that people who want to post an advert have to pay for it. That means they need to give Google payment details, be it a bank account or credit card. If it's a bank account, Google has the persons details. I mean Banks do not give out bank accounts without full details being obtained. So if there is something dodgy going on, give the details to law enforcement and ban that person from future advertisements. OK potentially credit card details can be stolen, but then Google would be missing out on the funding anyway once the owner of the card gets a chargeback, so they should surely have some other means of identity verification if you want to pay by card alone. So again Google should have a way to get personal details here.

    Anytime money changes hands through official channels, if one party wants to, it should be able to confirm who the other party is. Or it's not trying hard enough and doesnt actually want to do anything that might jepordise some revenue.

    I'm a little surprised that Google isnt taking this more seriously. Its entire empire is built on internet advertising, and if people stop trusting advertising on top websites like youtube, then its whole revenue stream is endangered.

  15. Claptrap314 Silver badge

    Google's entire operating model has been to maximize the accumulation of data and then to maximally monetize that data while minimizing their liability relative to the accumulation and monetization. This pattern runs a long-term risk of damaging the "free" internet, but it gets them lots & lots of $ in the mean time. In the event that ad blockers & company start to go mainstream, Goggle can easily put together a model that establishes an accountability chain. In the meantime, "No one ever went broke underestimating the taste or the intelligence of the American public."

    1. Charles 9 Silver badge

      I think if ad blockers become the norm, ad agencies will simply relocate to Western-hostile countries and offer blocker-proof proxy services whereby blocking the ads blocks the contrnt, full stop, by making the site look single-origin. Wonder if it'll be time to abandon the Internet at that point.

      1. Anonymous South African Coward Silver badge

        I would not worry about that - there are ways and means, maybe start using a text-based browser that'll somehow get the content sans ads.

        Currently ads go to /dev/eyeballs/null but with bad things like this, ads can gladly go to /dev/null

  16. Anonymous South African Coward Silver badge

    That's done it.

    Will install a content-filter firewall doohicky on Mint, as a plain Mikrotik just doesn't cut it anymore.

    Will have to make a plan with certain sites though. Meh. Bah and humbug.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020