Web skimmers have exploited the functionality of the Google Tag Manager service to elusively attach and distribute malicious JavaScript code to about 300 e-commerce stores.
The malicious code called “Magecart script” was utilised by the web skimmers to gather the payment card details of online shoppers and data that was later offered for auction on deep web carding forums.
Overall, this malicious threat campaign reached about 316 online stores and approximately 80,000 users who had their data sold.
The usual description of this web skimmer campaign was the exploit of Google Tag Manager. GTM is a Google tool that lets website owners update analytics and tracking codes on their domains.
Moreover, the attacks that abused the GTM containers are features that hackers can utilise to ship and package whole bodies of JS code. This web skimming campaign works when a threat actor creates its GTM container, then hacked into the e-commerce stores and secretly dropped codes without the owner’s awareness.
This kind of attack was successful for a couple of months and stayed under the radar for many months since web security tools and website owners’ inspections are not enough to detect the malicious Google Tag Manager container from their GTMs.
However, an advisory revealed these malicious containers input code that gathers all the information customers added in payment forms. After collecting customer payment forms, if finished by the web skimmers, they will be sent by the payload to a remote collection server, where threat actors will then sell them to underground forums.
As of writing, two threat actors had been identified. Researchers believed that two separate groups made the web skimming attacks by looking at how things worked out. Also, there are two significant differences between the two threat actors. The first group embedded an entire web skimmer inside their GTM container, while the other group already placed a loader inside the container that operated on the compromised site.
The researchers said that even though the two actors are separated in identity, they still share the same method of hacking the GTM containers.
