Security Experts:

Connect with us

Hi, what are you looking for?



Hundreds of eCommerce Domains Infected With Google Tag Manager-Based Skimmers

Security researchers with Recorded Future have identified a total of 569 ecommerce domains infected with skimmers, 314 of which have been infected with web skimmers leveraging Google Tag Manager (GTM) containers.

Security researchers with Recorded Future have identified a total of 569 ecommerce domains infected with skimmers, 314 of which have been infected with web skimmers leveraging Google Tag Manager (GTM) containers.

A legitimate Google service typically used for marketing and usage tracking, GTM relies on containers for embedding JavaScript and other types of resources into websites, and cybercriminals are abusing GTM containers to have HTML or JavaScript code injected into the websites that use Google’s service.

“In most contemporary cases, the threat actors themselves create the GTM containers and then inject the GTM loader script configuration needed to load them into the e-commerce domains (as opposed to injecting malicious code into existing GTM containers that were created by the e-commerce website administrators),” Recorded Future notes.

All of the 569 ecommerce platforms infected with skimmers were associated in one way or the other with GTM abuse. While 314 have been infected with a GTM-based skimmer, data from the remaining 255 has been exfiltrated to domains associated with GTM container abuse.

As of August 2022, there were 87 ecommerce websites still infected with a GTM-based skimmer, with the total number of compromised payment cards likely in the hundreds of thousands range.

Over the past two years, Recorded Future has identified three major variants of malicious scripts hidden within GTM containers used either as skimmers or as downloaders for skimmers. Two of these came into use around March and June 2021, while the most recent one came into use no later than July 2022.

These scripts are injected into ecommerce domains to collect visitors’ payment card data and personally identifiable information (PII) and then exfiltrate it to servers under the attackers’ control.

By leveraging infected GTM containers, the threat actors can update malicious scripts without having to access the victim domain’s system, which helps prevent detection, Recorded Future explains.

Furthermore, administrators may place trusted source domains such as Google services on an ‘allow’ list, meaning that security applications may end up not scanning the contents of GTM containers. A skimmer persists on an infected domain for an average of 3.5 months.

Recorded Future says it has identified more than 165,000 payment card records being offered for sale on dark web carding shops that have been exfiltrated from platforms infected by confirmed GTM-based attacks.

According to the cybersecurity firm, the three identified GTM-based skimmer variants have been used against a broad range of e-commerce domains, including high-profile targets with over 1 million monthly visitors, as well as platforms with less than 10,000 monthly visitors.

The domains of companies headquartered in the United States were targeted the most, with Canada, the United Kingdom, Argentina, and India rounding up the top five.

Related: Web Skimmer Injected Into Hundreds of Magento-Powered Stores

Related: Target Open Sources Web Skimmer Detection Tool

Related: Skimmer Injected Into 100 Real Estate Websites via Cloud Video Platform

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.