ArsTechnica reported on this first, but Gizmodo has a really good article about the problem:
As Ars Technica first reported on Friday, users on social media started complaining earlier this week that YouTube ads were triggering their anti-virus software. Specifically, the software was recognizing a script from a service called CoinHive. The script was originally released as a sort of altruistic idea that would allow sites to make a little extra income by putting a visitor’s CPU processing power to use by mining a cryptocurrency called Monero. This could be used ethically as long as a site notifies its visitors of what’s happening and doesn’t get so greedy with the CPU usage that it crashes a visitor’s computer. In the case of YouTube’s ads running the script, they were reportedly using up to 80 percent of the CPU and neither YouTube nor the user were told what was happening.
[...]
Gizmodo reached out to YouTube for comment on Trend Micro’s claims, and a spokesperson acknowledged the problem:
Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.The part of the statement about the ads being blocked in less than two hours doesn’t align with Trend Micro’s assessment that the ad campaign has been a problem for at least a week. When we asked YouTube about this discrepancy, a spokesperson declined to comment any further.
But a source with direct knowledge of YouTube’s handling of the situation told Gizmodo that the two-hour measurement was just being applied to each individual ad run by the hackers, not the ads en masse. YouTube approves a clean ad submitted by a clean account set up by the hijacker. When the ad goes live, the attackers use various cloaking methods to subvert YouTube’s system and swap the ad with one that includes the malicious script. A couple hours later, the ad is detected, taken down, and the user who submitted it gets their account deleted. Wash. Rinse. Repeat.I was actually going to give Chrome another try, in part to see how its newly upgraded ad-blocking feature stacked up against uBlock and AdBlocker, but I think I'll be holding off for a while longer. Forget the desirability of the thing, when even sites like YouTube, run by companies as large as Google, are delivering ads loaded with malware, it simply isn't safe to let ads of any kind run in your browser window.
Of course, the more that I become accustomed to ad-free internet, the harder it becomes to ever turn the ads back on. I don't know what sort of an experience Chrome's built-in ad-blocker delivers, but the fact that users like me aren't less and less interested in even trying it anymore, thanks to egregious abuses like cryptojacking, probably spells real trouble for the advertising industry.
And then, of course, there's the problem that advertising doesn't even work anymore:
Sorry, advertisers. It's too bad that you all didn't decide to behave sensibly and ethically, before we developed the ability to simply shut you out completely. Now you have to come up with an ad that can go viral as a stand-alone piece of content, which ad-blocking users will choose to watch, and which still doesn't sell the product it's supposed to be flogging. That Vitamin Water ad may well have introduced the world to Feel It Still, but I it's probably done more for "Portugal. The Man" than it did for Vitamin Water sales, and how much did it cost to hire Aaron Paul for that thing? GG.
What does this mean for the internet that we're used to, filled as it is with "free" content from sites that can only keep operating if they're supported with ad revenue? Honestly, I have no idea. I suspect, though, that we're only a few years away from finding out.