This article is more than 1 year old
Crypto-jackers enlist Google Tag Manager to smuggle alt-coin miners
Ad giant has malware detection in its script-hosting service... but Coinhive isn't flagged
Crypto-jackers using Coin Hive code to secretly mine Monero via computing power supplied by the unsuspecting have found Google Tag Manager to be a convenient means of distribution.
The code was invisibly spawned, he said, "from the embedded Google Tag Manager script
Google's service, handily enough, provides more control and flexibility than static code delivery.
gtm.js?id=GTM-KCDXG2D don't say anything about the function of the code invoked. Essentially, miscreants are hacking websites and quietly adding Google-hosted tags that contain the malicious code-mining code, thus obfuscating the source of the scripts.
Mursch said the Globovisión mining code was removed within an hour of discovery, and it's not clear how it got there. He found the Monero-crafting JS, he said, while reviewing another crypto-jacking incident with a Brazilian singer's website.
Google did not immediately respond to a request for comment.
A month ago, when The Register reported that Google short URLs were being co-opted for Monero, there were about 113,000 instances of cryptonight mining. Presently, there are about 180,000.
The Chocolate Factory's Tag Manager Terms of Service prohibits misuse, and the ad distribution biz has systems in place to look for malware in tags and prevent them from firing when found.
"In most cases, affected users are unaware that there are tags serving malware from their containers," the web giant explained on its website. "Usually through no fault of your own, a network provider becomes malware infected when they install 3rd party libraries or templates onto their websites, and subsequently transmit that malware to your site via the custom HTML tag that you published onto your website via Tag Manager."
That being the case, it appears that Google either cannot detect Coinhive code through Tag Manager or it doesn't consider it to be malicious. Most ad blockers, as well as antivirus tools, kill Coin Hive's code on sight these days.
Coinhive's development team did not respond to a request for comment.
Noting that crypto-jacking tops Malwarebytes' list of security ills likely to be visited upon businesses and consumers in 2018, Mursch said: "We should expect this trend to continue." ®