Security researchers with Recorded Future have identified a total of 569 ecommerce domains infected with skimmers, 314 of which have been infected with web skimmers leveraging Google Tag Manager (GTM) containers.
A legitimate Google service typically used for marketing and usage tracking, GTM relies on containers for embedding JavaScript and other types of resources into websites, and cybercriminals are abusing GTM containers to have HTML or JavaScript code injected into the websites that use Google’s service.
“In most contemporary cases, the threat actors themselves create the GTM containers and then inject the GTM loader script configuration needed to load them into the e-commerce domains (as opposed to injecting malicious code into existing GTM containers that were created by the e-commerce website administrators),” Recorded Future notes.
All of the 569 ecommerce platforms infected with skimmers were associated in one way or the other with GTM abuse. While 314 have been infected with a GTM-based skimmer, data from the remaining 255 has been exfiltrated to domains associated with GTM container abuse.
As of August 2022, there were 87 ecommerce websites still infected with a GTM-based skimmer, with the total number of compromised payment cards likely in the hundreds of thousands range.
Over the past two years, Recorded Future has identified three major variants of malicious scripts hidden within GTM containers used either as skimmers or as downloaders for skimmers. Two of these came into use around March and June 2021, while the most recent one came into use no later than July 2022.
These scripts are injected into ecommerce domains to collect visitors’ payment card data and personally identifiable information (PII) and then exfiltrate it to servers under the attackers’ control.
By leveraging infected GTM containers, the threat actors can update malicious scripts without having to access the victim domain’s system, which helps prevent detection, Recorded Future explains.
Furthermore, administrators may place trusted source domains such as Google services on an ‘allow’ list, meaning that security applications may end up not scanning the contents of GTM containers. A skimmer persists on an infected domain for an average of 3.5 months.
Recorded Future says it has identified more than 165,000 payment card records being offered for sale on dark web carding shops that have been exfiltrated from platforms infected by confirmed GTM-based attacks.
According to the cybersecurity firm, the three identified GTM-based skimmer variants have been used against a broad range of e-commerce domains, including high-profile targets with over 1 million monthly visitors, as well as platforms with less than 10,000 monthly visitors.
The domains of companies headquartered in the United States were targeted the most, with Canada, the United Kingdom, Argentina, and India rounding up the top five.
Related: Web Skimmer Injected Into Hundreds of Magento-Powered Stores
Related: Target Open Sources Web Skimmer Detection Tool
Related: Skimmer Injected Into 100 Real Estate Websites via Cloud Video Platform
