Threat actors are taking advantage of Google’s Tag Manager (GTM) containers to Magecart e-skimming attacks that plant malicious e-skimmers on e-commerce sites to steal payment card data and personally identifiable information of visitors, a new report from Recorded Future’s Insinkt Group reveals.

GTM is a free tracking tool and management platform that allows to add tracking, web analytics, and measurement codes to any website or application.

The researchers said they discovered three significant variants (Variant 1, Variant 2, and Variant 3) of malicious scripts hidden within GTM containers that function either as e-skimmers or as downloaders for installing e-skimmers. Cybercriminals are currently using all three variants to infect e-commerce sites and steal customers’ payment card data.

Insinkt Group identified a total of 569 infected domains, 314 from which were infected by a GTM-based e-skimmer variant, while the remaining 255 had infections that exfiltrated stolen data to malicious domains associated with GTM abuse.

“The 314 e-commerce domains were confirmed to have been infected by 1 of the 3 GTM-based e-skimmer variants. 87 of these e-commerce domains remain infected as of August 25, 2022. The average period of infection for those infections that have since been remediated was 3.5 months,” the report reads.

Variant 1 and Variant 2 have been in use since March and June 2021, respectively, while Variant 3 appeared on the threat landscape no later than July 2022. All three variants use separate e-skimming scripts and each e-skimmer variant uses its own set of malicious domains to receive stolen data.

“All 3 variants are currently in use for active infections and have been deployed to infect new e-commerce domain(s) in August 2022, indicating that all 3 variants pose an active risk to e-commerce websites and their customers — and by extension, to financial institutions and card networks,” according to the report.

It was found that the threat actors targeted not only “high-value” e-commerce domains with more than 1 million monthly visitors, but also more “modest” sites with about 10,000 monthly visitors.

Most of the infected websites are based in the US (66%), followed by Canada, the UK, Argentina, India, Italy, Australia, Brazil, Greece, Indonesia and others.

The researchers said that more than 165,000 payment card records attributed to victims of GTM container e-skimming have ended up on illegal carding sites on the dark web, but they believe that the number of compromised payment cards is likely higher.