Google DoubleClick Ad Network Hit With Crypto Mining Malware, YouTube Visitors Affected

It appears that Google's DoubleClick ad network has become the latest target of relentless miners looking to make an extra buck with the Monero cryptocurrency. The revelation comes after TrendMicro observed that the number of active Coinhive miner detections tripled around January 24th. After doing some detective work, it was observed that the increase in traffic was coming from a total of five "malicious domains".

Given the immense popularity of the DoubleClick network, it should come as no surprise that enterprising hackers would attempt to exploit it to reach a staggering number of users. In this case, it's said that the countries that were verified as targets of this malicious campaign included France, Japan, Italy, Spain and Taiwan.

"An analysis of the malvertisement-riddled pages revealed two different web miner scripts embedded and a script that displays the advertisement from DoubleClick," writes TrendMicro. "The affected webpage will show the legitimate advertisement while the two web miners covertly perform their task. We speculate that the attackers’ use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices."

Users first became aware of the Coinhive infestation while watching YouTube videos. YouTube is likely a popular target as users can often find themselves meandering on the site for extended periods of time watching various videos. The longer users spend time on a site, the longer that the malicious JavaScript can run to mine for Monero.

It seems as though no platform is safe these days when it comes to cryptocurrency mining. We first started hearing about Monero miners being smuggled into websites dedicated to piracy, and then it began spreading to more legitimate sites. More recently, we've seen Monero miners show up in malware for the Android platform.