Hackers have infused malware in Google's DoubleClick advertising service to serve ads to consumers that contain cryptocurrency mining software.
The malware -- reported by the Trend Micro TrendLabs Security Intelligence Blog after an increase in traffic to five malicious domains on January 18 -- came from advertisements running on the DoubleClick network.
The security company detected an increase of nearly 285% in the number of Coinhive miners on January 24.
Mining cryptocurrency through ads is a relatively new form of abuse that violates Google's policies, and one that the company has been monitoring closely, according to a Google spokesperson. "We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge," per a Google spokesperson. "In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms."
Data shows that affected countries include Japan, France, Taiwan, Italy, and Spain. Reports appeared on Twitter after users began tweeting that their antivirus software notified them that cryptocurrency mining has been detected as they watched YouTube videos.
Analysis at Trend Micro found two different web-miner scripts embedded and a script that displays the advertisement from DoubleClick.
The affected webpage shows the legitimate advertisement, while the two web miners covertly perform their task. "The advertisement has a JavaScript code that generates a random number between variables 1 and 101," according to the post. "When it generates a variable above 10, it will call out to mine 80% of the CPU power, which is what happens nine out of ten times."
In the other 10%, a private web miner launches. The two web miners will use 80% of the CPU’s resources for mining.