As Ars Technica reports, YouTube has been spotted pushing ads onto users.

That, in itself, isn’t newsworthy of course. But these ads are surreptitiously stealing resources from visiting computers to mine for cryptocurrencies:

On Friday, researchers with antivirus provider Trend Micro said the ads helped drive a more than three-fold spike in Web miner detections. They said the attackers behind the ads were abusing Google’s DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain. Sign up to our newsletter

Security news, advice, and tips. The ads contain JavaScript that mines the digital coin known as Monero. In nine out of 10 cases, the ads will use publicly available JavaScript provided by Coinhive, a cryptocurrency-mining service that’s controversial because it allows subscribers to profit by surreptitiously using other people’s computers. The remaining 10 percent of the time, the YouTube ads use private mining JavaScript that saves the attackers the 30 percent cut Coinhive takes. Both scripts are programmed to consume 80 percent of a visitor’s CPU, leaving just barely enough resources for it to function.

You should run an ad blocker when you surf the web.

Not just because ads are invariably ugly and ruin the user experience. Not just because you don’t want ads tracking your online behaviour. Not just because ads slow down your online experience and gobble up your bandwidth. Not just because ads can infect your computer with malware, or be secretly sapping your computer resources by mining for cryptocurrencies in the background.

But because even Google, one of the world’s largest advertising companies (with its own considerable security prowess), seems to be incapable of guaranteeing a stream of safe ads. What hope for the other advertising networks if Google can’t get it right?

In a statement, Google said it took action against the offending ads when it became aware of them:

“Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”

To which I say, too little too late. Why does Google DoubleClick allow ads to contain JavaScript in the first place?

It’s a shame, of course, for those websites which depend on advertising as a revenue stream. But we have to face facts. Ads can’t be trusted. Run an ad blocker.

Further reading:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.