21 September 2022

Malicious actors continue to abuse Google Tag Manager tool to install e-skimmers


Malicious actors continue to abuse Google Tag Manager tool to install e-skimmers

Threat actors are taking advantage of Google’s Tag Manager (GTM) containers to Magecart e-skimming attacks that plant malicious e-skimmers on e-commerce sites to steal payment card data and personally identifiable information of visitors, a new report from Recorded Future’s Insinkt Group reveals.

GTM is a free tracking tool and management platform that allows to add tracking, web analytics, and measurement codes to any website or application.

The researchers said they discovered three significant variants (Variant 1, Variant 2, and Variant 3) of malicious scripts hidden within GTM containers that function either as e-skimmers or as downloaders for installing e-skimmers. Cybercriminals are currently using all three variants to infect e-commerce sites and steal customers’ payment card data.

Insinkt Group identified a total of 569 infected domains, 314 from which were infected by a GTM-based e-skimmer variant, while the remaining 255 had infections that exfiltrated stolen data to malicious domains associated with GTM abuse.

“The 314 e-commerce domains were confirmed to have been infected by 1 of the 3 GTM-based e-skimmer variants. 87 of these e-commerce domains remain infected as of August 25, 2022. The average period of infection for those infections that have since been remediated was 3.5 months,” the report reads.

Variant 1 and Variant 2 have been in use since March and June 2021, respectively, while Variant 3 appeared on the threat landscape no later than July 2022. All three variants use separate e-skimming scripts and each e-skimmer variant uses its own set of malicious domains to receive stolen data.

“All 3 variants are currently in use for active infections and have been deployed to infect new e-commerce domain(s) in August 2022, indicating that all 3 variants pose an active risk to e-commerce websites and their customers — and by extension, to financial institutions and card networks,” according to the report.

It was found that the threat actors targeted not only “high-value” e-commerce domains with more than 1 million monthly visitors, but also more “modest” sites with about 10,000 monthly visitors.

Most of the infected websites are based in the US (66%), followed by Canada, the UK, Argentina, India, Italy, Australia, Brazil, Greece, Indonesia and others.

The researchers said that more than 165,000 payment card records attributed to victims of GTM container e-skimming have ended up on illegal carding sites on the dark web, but they believe that the number of compromised payment cards is likely higher.


Back to the list

Latest Posts

Cyber Security week in review: December 2, 2022

Cyber Security week in review: December 2, 2022

The world in brief: Samsung, LG, Mediatek certificates used to sign Android malware, researchers detail new exploit framework, and more.
2 December 2022
Security researchers unintentionally crash KmsdBot botnet

Security researchers unintentionally crash KmsdBot botnet

The malware lacked an error-checking mechanism, which allowed the researchers to deactivate it.
1 December 2022
New Heliconia framework exploits n-day flaws in Chrome, Firefox and Microsoft Defender

New Heliconia framework exploits n-day flaws in Chrome, Firefox and Microsoft Defender

The researchers have linked the framework to a Spain-based software company.
1 December 2022