Magecart Groups Abuse Google Tag Manager - Gemini Advisory Report

Magecart Groups Abuse Google Tag Manager

December 6, 2021 • Gemini Advisory

Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report. 

Gemini analysts have observed 316 e-commerce sites infected by Magecart attacks that deploy trojanized Google Tag Manager (GTM) containers since February 4, 2021. These attacks fall under two variants: one that embeds the malicious e-skimmer script in the container and another that uses the container to download the actual e-skimmer script from a separate dual-use domain. Most of the victims for both variants were US-based sites and used the Magento e-commerce platform. Analysis of the two variants suggest that distinct Magecart groups are responsible for each variant.

This technique capitalizes on the ability to place JavaScript within the GTM container. The abuse of this legitimate Google service is concerning because it provides threat actors free infrastructure upon which they can host their scripts, enhancing their capability to avoid detection. The Magecart actors behind these increasingly popular attacks have posted at least 88,000 payment card records from these attacks to the dark web markets. Smaller e-commerce shops are the most common target since they often lack the resources or interest to design robust security systems.

The shift to e-commerce due to the COVID-19 pandemic has increased interest in CNP e-skimming activity. As the level of activity increases, so too does the level of effort to mask activity from automated scanners and security researchers. The use of a legitimate service offers an excellent opportunity to hide malicious scripts and thus maintain a foothold on victimized e-commerce sites.

Editor’s Note: This post was an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.

New call-to-action

Related Posts

The People’s Liberation Army in the South China Sea: An Organizational Guide

The People’s Liberation Army in the South China Sea: An Organizational Guide

January 19, 2022 • Insikt Group®

Editor’s Note: The following post is an excerpt of a full report To read the entire analysis,...

2021 Adversary Infrastructure Report

2021 Adversary Infrastructure Report

January 18, 2022 • Insikt Group®

Editor’s Note: The following post is an excerpt of a full report To read the entire analysis,...

FIN7 Uses Flash Drives to Spread Remote Access Trojan

FIN7 Uses Flash Drives to Spread Remote Access Trojan

January 13, 2022 • Gemini Advisory

Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory To read the...