Connect with us

Hi, what are you looking for?



Hundreds of eCommerce Domains Infected With Google Tag Manager-Based Skimmers

Security researchers with Recorded Future have identified a total of 569 ecommerce domains infected with skimmers, 314 of which have been infected with web skimmers leveraging Google Tag Manager (GTM) containers.

Security researchers with Recorded Future have identified a total of 569 ecommerce domains infected with skimmers, 314 of which have been infected with web skimmers leveraging Google Tag Manager (GTM) containers.

A legitimate Google service typically used for marketing and usage tracking, GTM relies on containers for embedding JavaScript and other types of resources into websites, and cybercriminals are abusing GTM containers to have HTML or JavaScript code injected into the websites that use Google’s service.

“In most contemporary cases, the threat actors themselves create the GTM containers and then inject the GTM loader script configuration needed to load them into the e-commerce domains (as opposed to injecting malicious code into existing GTM containers that were created by the e-commerce website administrators),” Recorded Future notes.

All of the 569 ecommerce platforms infected with skimmers were associated in one way or the other with GTM abuse. While 314 have been infected with a GTM-based skimmer, data from the remaining 255 has been exfiltrated to domains associated with GTM container abuse.

As of August 2022, there were 87 ecommerce websites still infected with a GTM-based skimmer, with the total number of compromised payment cards likely in the hundreds of thousands range.

Over the past two years, Recorded Future has identified three major variants of malicious scripts hidden within GTM containers used either as skimmers or as downloaders for skimmers. Two of these came into use around March and June 2021, while the most recent one came into use no later than July 2022.

These scripts are injected into ecommerce domains to collect visitors’ payment card data and personally identifiable information (PII) and then exfiltrate it to servers under the attackers’ control.

By leveraging infected GTM containers, the threat actors can update malicious scripts without having to access the victim domain’s system, which helps prevent detection, Recorded Future explains.

Advertisement. Scroll to continue reading.

Furthermore, administrators may place trusted source domains such as Google services on an ‘allow’ list, meaning that security applications may end up not scanning the contents of GTM containers. A skimmer persists on an infected domain for an average of 3.5 months.

Recorded Future says it has identified more than 165,000 payment card records being offered for sale on dark web carding shops that have been exfiltrated from platforms infected by confirmed GTM-based attacks.

According to the cybersecurity firm, the three identified GTM-based skimmer variants have been used against a broad range of e-commerce domains, including high-profile targets with over 1 million monthly visitors, as well as platforms with less than 10,000 monthly visitors.

The domains of companies headquartered in the United States were targeted the most, with Canada, the United Kingdom, Argentina, and India rounding up the top five.

Related: Web Skimmer Injected Into Hundreds of Magento-Powered Stores

Related: Target Open Sources Web Skimmer Detection Tool

Related: Skimmer Injected Into 100 Real Estate Websites via Cloud Video Platform

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.