Why is there a strange GTM tag in the code of my Joomla site?

Google Tag Manager is a popular tool for inserting code snippets on your website. It’s flexible, powerful but also can be exploited: on the site of a potential client we recently spotted a ‘rogue’ GTM code which was being used to run malicious malware.

  • What is a Google Tag Manager (GTM) tag?

    Before we get started, let’s understand what a GTM tag is exactly…

    Google Tag Manager – or GTM – is a tool used to dynamically inject JavaScript code snippets into the code of a website. It’s most commonly used to insert site tracking (analytics) and advertising tags.

    Thanks to GTM this sort of tag no longer needs to be inserted manually in your site source code, instead, you can manage everything from the Google Tag Manager website.

    The only thing you need to do on your own site is to paste a short GTM code snippet including your own unique GTM ID:

    <script async="" src="https://www.googletagmanager.com/gtm.js?id=GTM-XXXXXXX" ></script>

    Read about Adding Google Tag Manager to a Joomla site.

    Known rogue GTM tags: (updated regularly)

    Great potential … but also for exploitation

    JavaScript tags are very popular and used on the majority of websites – in increasing numbers. Google Tag Manager provides a convenient way of managing these tags in one place, and has also grown massively in popularity.

    But the ability to easily insert code also potentially opens the door for hackers: by adding just 2-3 lines of seemingly innocuous code to a website you can easily execute all sorts of – far less innocuous – code behind the scenes.

    The investigation: a mysterious GTM tag

    A potential client contacted us recently with several tasks, one of which was to explain the presence of an unfamiliar GTM tag in the code of their Joomla website.

    By Googling the specific GTM account ID we quickly found out the same GTM account was in use on a variety of completely unconnected sites.

    An image of evidence panel hovered by a magnifying glass.

    We also found references to several forum posts with helpful titles such as “I have the code GTM-xxxxxxx Tag on my site, why is it there?”

    Something shady was afoot.

    We then looked at the Joomla site in more detail and quickly realised that the code was being inserted via a hacked file in the website template.

    Typically this sort of hack results from a heavily outdated extension or Joomla version, but this was the first time we’d seen an injected GTM tag leveraged as a method of loading malicious code.

    So what was going on here exactly?

    The modified PHP code inserts a GTM Tag in the head of the website. This amounts to only a single line of code inside the <head> of the site. Something the website owner most likely won’t even notice.

    Once this code is triggered, GTM itself inserts the mischievous Javascript code that wreaks havoc on your site! … okay, I’m being dramatic. In fact the exploit attempts to remain entirely hidden while making use of your server and/or website to generate profits for the bad man that put it there.

    An image showing a man involved in computer hacking.

    What does the malicious GTM code do?

    The most popular exploit we found was ad generation, with infected sites displaying unwanted advertising to generate revenue for the hacker.

    We also identified several intelligent ways in which the attacker attempted to hide the ad presence from the website owner:

    • Some ads were only visible on mobile phones. Presumably, the attacker assumed that the site owner is unlikely to visit their own site using a smartphone and hence discover the advertising
    • More intelligent yet, the script blacklists IP addresses it recognises as connected to the website and deactivates the advertising for these users
    An image of a laptop screen displaying advertisements.

    We also saw instances of the exploit adding redirect links to sites that filled with ads. Another – albeit less sophisticated – method of generating revenue for the attacker.

    I’ve been hacked: how can I fix my site?

    Simply deleting the hacked files is unlikely to help, since the GTM Tag in the code of your site is programmed to regular check whether the malicious code is there … and if not, immediately regenerate it.

    In most cases the source of the vulnerability lies in outdated software – either Joomla or an extension installed within Joomla – or else a malicious extension which was installed without prior research.

    If you have a recent backup of your website, the simplest solution is often to simply restore the last working backup of your website. Remember to double-check that the restored version of the site is hack-free!

    Read about Restoring a Joomla website from a backup.

    We offer service & support with all aspects of your site.
    If you need help restoring your site and keeping it updated, Contact us and we will get back to you shortly.

    Further Insights