Web skimmers stealing payment cards in Google Tag Manager, found to have infiltrated over 300 sites.

A web skimmer was found to have exploited the legitimate functionality of Google Tag Manager to covertly add malicious JavaScript code and deploy it to over 300 e-commerce stores.

Magecart Groups Abuse Google Tag Manager
Gemini analysts identified 316 e-commerce sites infected with trojanized Google Tag Manager (GTM) containers as part of an ongoing Magecart campaign.

The shift to e-commerce due to the COVID-19 pandemic has increased the CNP’s interest in e-skimming activities. As the level of activity has increased, so has the level of automated scanners and security researchers to hide the activity. Using legitimate services is a great opportunity to hide malicious scripts and gain a foothold on affected e-commerce sites.

The “GTM container e-skimmer” variant uses a simple “get all” approach when collecting data from web forms, and attempts to hide the data exfiltration by using a familiar domain name. Once infected with one of the GTM variants, the attacker can modify the attack infrastructure without accessing the victim’s server.

This is an important way to go undetected if changes need to be made, such as a skimmer glitch or modification of a secondary loader or exfiltration URL.

The code, called a “web skimmer” or “Magecart script,” was used to collect payment card information from online shoppers, which was later sold in underground forums, according to Gemini Advisory, a financial fraud specialist at Recorded Future. The data was later sold on underground forums, according to Gemini Advisory, a division of Recorded Future specializing in financial fraud.

According to Gemini Advisory, the attacks targeted a total of 316 online stores and an estimated 88,000 users, with user data being sold online.

What is Google Tag Manager?

A common feature of these attacks is that they exploit Google Tag Manager, a Google tool that allows website owners to dynamically update tracking and analysis code on their sites.

Google Analytics
Google Analytics lets you measure your advertising ROI as well as track your Flash, video, and social networking sites and applications.

Specifically, they were exploiting the GTM container, a feature for packaging and shipping entire blocks of JavaScript code.

The hackers created their own GTM container, broke into the e-commerce store, and secretly loaded the code without the owner’s knowledge.

Because web security tools and even website owners inspecting their own code had difficulty detecting the malicious GTM container from their own GTM tags, the attack was successful and ran underwater for several months.

These malicious GTM containers were loaded with code that collected all the information that the buyer added to the payment form and sent that data to a remote collection server, from where it was monetized in underground forums.

Two threat groups identified so far

Gemini Advisory believes that based on how the malicious GTM container was exploited, this attack was run by two different groups.

The difference between the two groups is that Group 1 embedded the entire web skimmer inside the GTM container, while Group 2 placed a loader running on the hacked site inside the container and loaded the web skimmer after an intermediate step.

While the two GTM containers contain similar tactics of storing electronic skimmers inside the GTM container, the two GTM containers also contain similar tactics of storing web skimmers inside the GTM container and contain a similar technique of storing a script to load a web skimmer from a dual-use domain inside a GTM container.

Analysis of the two variants suggests that two different Magecart groups are involved in each variant

Group 1 was the most active, accounting for two-thirds of all hacks, and began its activities in March 2021, while Group 2 began its attacks in May.

Both are hacking online stores running on various platforms such as Magento, WordPress, Shopify, BigCommerce, etc.

Studies show that most of the compromised sites were small online store businesses, and only one had enough traffic to be listed in the Alexa Top 50,000.

Security firm Sansec has also recently released details of various web skimming operations, commenting on the trend for groups to develop their own malware from web-based breaches to infiltrate hacked sites at the server level and allow continued access in the future. The report comments that this is a trend.

Translated with www.DeepL.com/Translator (free version)