What is a Google Tag Manager (GTM) tag?
Before we get started, let’s understand what a GTM tag is exactly…
Thanks to GTM this sort of tag no longer needs to be inserted manually in your site source code, instead, you can manage everything from the Google Tag Manager website.
The only thing you need to do on your own site is to paste a short GTM code snippet including your own unique GTM ID:
<script async="" src="https://www.googletagmanager.com/gtm.js?id=GTM-XXXXXXX" ></script>
Read about Adding Google Tag Manager to a Joomla site.
Known rogue GTM tags: (updated regularly)
Great potential … but also for exploitation
But the ability to easily insert code also potentially opens the door for hackers: by adding just 2-3 lines of seemingly innocuous code to a website you can easily execute all sorts of – far less innocuous – code behind the scenes.
The investigation: a mysterious GTM tag
A potential client contacted us recently with several tasks, one of which was to explain the presence of an unfamiliar GTM tag in the code of their Joomla website.
By Googling the specific GTM account ID we quickly found out the same GTM account was in use on a variety of completely unconnected sites.
We also found references to several forum posts with helpful titles such as “I have the code GTM-xxxxxxx Tag on my site, why is it there?”
Something shady was afoot.
We then looked at the Joomla site in more detail and quickly realised that the code was being inserted via a hacked file in the website template.
Typically this sort of hack results from a heavily outdated extension or Joomla version, but this was the first time we’d seen an injected GTM tag leveraged as a method of loading malicious code.
So what was going on here exactly?
The modified PHP code inserts a GTM Tag in the head of the website. This amounts to only a single line of code inside the <head> of the site. Something the website owner most likely won’t even notice.
What does the malicious GTM code do?
The most popular exploit we found was ad generation, with infected sites displaying unwanted advertising to generate revenue for the hacker.
We also identified several intelligent ways in which the attacker attempted to hide the ad presence from the website owner:
- Some ads were only visible on mobile phones. Presumably, the attacker assumed that the site owner is unlikely to visit their own site using a smartphone and hence discover the advertising
- More intelligent yet, the script blacklists IP addresses it recognises as connected to the website and deactivates the advertising for these users
We also saw instances of the exploit adding redirect links to sites that filled with ads. Another – albeit less sophisticated – method of generating revenue for the attacker.
I’ve been hacked: how can I fix my site?
Simply deleting the hacked files is unlikely to help, since the GTM Tag in the code of your site is programmed to regular check whether the malicious code is there … and if not, immediately regenerate it.
In most cases the source of the vulnerability lies in outdated software – either Joomla or an extension installed within Joomla – or else a malicious extension which was installed without prior research.
If you have a recent backup of your website, the simplest solution is often to simply restore the last working backup of your website. Remember to double-check that the restored version of the site is hack-free!
Read about Restoring a Joomla website from a backup.
We offer service & support with all aspects of your site.
If you need help restoring your site and keeping it updated, Contact us and we will get back to you shortly.