Slashdot Mirror
Now Even YouTube Serves Ads With CPU-draining Cryptocurrency Miners (arstechnica.com)
YouTube was recently caught displaying ads that covertly leach off visitors' CPUs and electricity to generate digital currency on behalf of anonymous attackers, it was widely reported. From a report: Word of the abusive ads started no later than Tuesday, as people took to social media sites to complain their antivirus programs were detecting cryptocurrency mining code when they visited YouTube. The warnings came even when people changed the browser they were using, and the warnings seemed to be limited to times when users were on YouTube. On Friday, researchers with antivirus provider Trend Micro said the ads helped drive a more than three-fold spike in Web miner detections. They said the attackers behind the ads were abusing Google's DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain. The ads contain JavaScript that mines the digital coin known as Monero.
Because itâ(TM)s getting out of hand and they will fix everything.
This is why I run an adblocker and a script blocker.
And why I refuse to visit sites that insist I turn it off.
Speaking of which, anyone know any WebExtensions that do anti-anti-adblock? The old one was XUL.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
One that comes to the top of my mind is Mineblock.
It specifically blocks cryptominers of all kinds, even ones that the usual script blockers and other antimalware stuff miss.
It's not the only one, and I'm sure that eventually the others will catch up to these types of extensions, but it's still relatively early days for this kind of infestation.
Keep up to date on whatever you use, and those leeches won't find you an easy meal.
"Unoccupied CPUs" were a waste back when a CPU used the same amount of power idling as working.
Today, giving my "unoccupied CPU" a task for your benefit is theft of my battery life (time until I need to recharge), battery lifetime (total number of cycles), electricity (both direct device usage and indirect cooling needs), and device lifetime (hotter devices fail sooner).
Now, if you'd like to offer me payment for these things you wish to consume, we can talk.
Comment removed based on user account deletion
What makes you think they all unload when you leave that site?
There are lots of them that just keep running and eating up your resources even when you want to use them.
That's the problem with people secretly sticking their hands in your pocket, you have no idea how much they're going to take or how long they'll be doing it.
The very fact that they hid this from you is ALWAYS a bad sign.
Comment removed based on user account deletion
Consider an algorithm such as Yescrypt (http://password-hashing.net/wiki/doku.php/yescrypt) which is a valid CPU cryptomining algorithm. My CPU (Broadwell i7 6800K) finds a share every 5 seconds with 11 threads running. I extrapolate a quad core CPU would find a share every 15-20 seconds. Those shares add up if the receiving wallet and mining pool are the same. This means wallet "iourthoesruithjvansoivrzupaweo" could have a swarm 10K workers mining for 30 seconds each on the same pool, and find 10K shares every 30 seconds.
Let's see what this adds up to in terms of cash.
My CPU (taken as reference) makes about 1.5 dollars a day. A Quad-core CPU (average desktop PC CPU) would make about 0.5 dollars a day through cryptomining. Multiply that by 10K miners (dynamic swarm), it adds up to 5K dollars a day. It's a hefty sum, assuming the website really has 10K active visitors at all times.
1K active sessions would yield 500 bucks a day, 100 active sessions would net 50 bucks a day. Even 10 active sessions would be 5 dollars a day, every day. Not bad, I'd say.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
Right now we don't have that option. Because everyone who does this, does it without telling the user. Until it becomes a CHOICE, they can fuck off.
I don't know why this is the first time I'm realizing this, but "ads" that cryptomine seem like a great idea. Given the amount of web browsing that is just that, with an otherwise unoccupied CPU, I'd much rather the sites I visit be earning some money directly from my use than displaying crappy ads all over and splitting that income with the middlemen.
I would be fine with this in place of ads if a) it's fully disclosed b) it's opt-in, and c) it's set to consume no more than say 25% of my CPU.
I browse on +1 so AC's need not respond, I won't see it.
At least Chrome limits background tabs to 1% of CPU and will, in future, pause javascript entirely in those pages.
Now, if you'd like to offer me payment for these things you wish to consume, we can talk.
Were you able to see their content? You got paid. You're not going to get reimbursed for the power consumed by your TV or DVR while you're fast-forwarding through commercials either.
I don't like the miners either, but I understand that ads are the price of content. The alternative is paid content, which you're free to switch to.
He's getting rather old, but he's a good mouse.
Forbes
Why are ads even allowed to run javascript? It's one thing for double-click itself to be implemented in javascript, but why on earth do doubleclick/youtube allow the ads to include javascript? Shouldn't they just be an image or gif or video?
Anti-adblock detects failure to load ads and removes the article's text from the DOM until the user disables protection. Running a blocker for a specific behavior gives you a bit of plausible deniability and room to complain to the site's support department about misdetecting an ad blocker.
I put up with adverts in newspapers and magazines because I understand they subsidise their production costs, but they don't track me and do shit behind my back.
Same for TV
Same for radio
Yet more and more websites display 'please disable your adblocker'.
NO. It's precisely because of shit like this that I run one and I have no intention of disabling it.
You want to display adverts on your site to bring in revenue, fine I get that. But do it the old way, with simple graphics that don't run unvetted shit on your viewers machines.
You want to block me from viewing your content 'cos I'm running an adblocker ? that's cool too, there's plenty of other sites out there.
If you're not willing to support my site, feel free to boycott it. However, stop stealing from me. You're not required to go to my site, but you're not welcome to violate my copyright with a derivative work in order to steal revenue from me.
First of all, they're not violating copyright by simply downloading content.
Secondly, if you're using one of these scammy ad networks (and, to my knowledge, there isn't a single one that *isn't* scammy), then you're just going to have to accept that fact that one one gives a shit about what you want.
Third party javascript nonsense had gotten so far beyond the pale, that it behooves everyone with a computer to enable ad blocking technology, for their own personal safety. This youtube crypto thing is just one of countless examples of malicious code forced upon people. If you derive income from this bullshit, then you're complicit in this and deserve every bit of scorn anyone heaps on you.
If you don't like it, then set up a patreon account so people can be assured that you're getting paid directly without they themselves getting screwed in the process with malware.
Putting JavaScript in ads causes too many problems, from drive-by malware to this (and many other things too). And it leads to annoying ads, like those pop-ups that never leave your field of view.
Yes, yes, I know it's because advertisers want to draw attention to their product. However, I suspect that many people would object less to ads if they weren't so annoying: compare to advertisements in (print) newspapers, who seem to have got along just fine without ads in -- what? -- several centuries so far?
If we banned JavaScript in ads, malware authors would have a lot more difficult task pushing their crap.
(Have to admit: only half-serious here, but still ...)
Defeat ads via DNS before involving your browser: https://pi-hole.net/ I've been using it for a few months now. Knowing my TVs are no longer sending logs to Samsung is very gratifying. I discovered a forgotten Jenkins install that was hitting Github every 5 minutes.. oops :(
I've only had to white-list two URLs for my kid so far.
https is such a falsehood. Sure the connection between you and one site may be secure, and you may actually trust it. But what about all those third party trackers and ad servers that load into the same page? Yes I am oversimplifying and https is about the connection and not the server's security - but as soon as a third party content is loaded shouldn't the underlying https connection become tainted in a way that it has something like one of those big red Xs on it for https+non-https mixed content? Maybe a middle finger emoji to the end user.
I wish for a day whereby disabling loading of third party content is enabled by default - and websites still work.
If you don't use an ad blocker by now, or even better something like umatrix extension - please add one to your favorite browser. (umatrix is from same guy as ublock origin, and sure it has a learning curve but we are supposed to be nerds reading this, and be amazed at all the third party junk on your favorite websites).
I understand why an ad network like Yahoo or Doubleclick might use javascripts. But why would the individual advertiser need a custom javascript? Just provide a PNG or JPG or MP4 and be done with it. The idea that the ad networks permit arbitrary code in the ad is utterly ridiculous.
1 why should there be content from domains not in the adress bar? (you dont expect there to be pepsi inside a can of coca cola!)
2 site designers need to keep content on their own site! (if you dont own the content, link to it, dont steal it)
3 100+ connections to load a single site is unacceptable! (and not cool to other users on public wifi)
4 ssl/tls is worthless with crossdomain content! (and please support ipsec/dane certificates to stop the certificate marfia)
5 all audio/videos should be click to play! (possible crossdomain, but need to be clicked just like any other links)
6 crossdomain cookies, are just another name for tracking cookies! (you dont need cookies to track users on you own site!)
7 external javascript libraries, are just as bad as windows dll hell and linux dependency nightmare. (just compile them into you page)
8 for webapps you need to install/give premission, for them to use site x. (not have a stupid allow header on site x!)
9 adsence/analytics is the real big brother wathing you. (and he is not alone..)
but its not happening as long as the browser makers are in the pockets of the ad/spam supliers.