A total of 569 e-commerce domains have been found to be skimmer-infected by security experts at Recorded Future, and 314 of those have been compromised by web skimmers that use Google Tag Manager (GTM) containers. The legitimate Google service GTM, which is generally used for marketing and usage tracking, depends on containers to embed JavaScript and other types of resources into websites. However, cybercriminals are taking advantage of GTM containers to inject HTML or JavaScript code into the sites that employ Google’s service.
“In most contemporary cases, the threat actors themselves create the GTM containers and then inject the GTM loader script configuration needed to load them into the e-commerce domains (as opposed to injecting malicious code into existing GTM containers that were created by the e-commerce website administrators),” Recorded Future notes.
All 569 of the e-commerce sites with skimmers were somehow connected to GTM misuse. Even though 314 were infected with a GTM-based skimmer, data from the other 255 has been exfiltrated to sites related to GTM container exploitation. A GTM-based skimmer was still present on 87 e-commerce websites as of August 2022, and the total number of compromised credit cards was most likely in the hundreds of thousands.
Two years ago, Recorded Future discovered three main malicious script versions concealed within GTM containers and either employed as skimmers or as downloaders for skimmers. The newest of them was implemented no later than July 2022, while the first two were used around March and June 2021. These scripts are introduced into e-commerce websites to gather users’ personally identifiable information (PII) and credit card information and exfiltrate it to servers under the attackers’ control.
According to Recorded Future, threat actors may update malicious scripts without gaining access to the victim domain’s system by using infected GTM containers, which helps avoid detection. Additionally, administrators may add Google services and other trustworthy source domains to a “allow” list, which might prevent security apps from inspecting the contents of GTM containers. An infected domain has a skimmer on it for an average of 3.5 months.
Recorded Future discovered that platforms compromised by verified GTM-based attacks had exfiltrated more than 165,000 payment card details sold in dark web carding shops. The three GTM-based skimmer variations have been employed against a wide range of e-commerce domains, including prominent targets with over 1 million monthly visits and platforms with less than 10,000 monthly visitors, said the cybersecurity company. The top five countries were all American-based corporations, with Canada, the United Kingdom, Argentina, and India filling out the top five.