Magecart Groups Abuse Google Tag Manager

Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.

Gemini analysts have observed 316 e-commerce sites infected by Magecart attacks that deploy trojanized Google Tag Manager (GTM) containers since February 4, 2021. These attacks fall under two variants: one that embeds the malicious e-skimmer script in the container and another that uses the container to download the actual e-skimmer script from a separate dual-use domain. Most of the victims for both variants were US-based sites and used the Magento e-commerce platform. Analysis of the two variants suggest that distinct Magecart groups are responsible for each variant.

This technique capitalizes on the ability to place JavaScript within the GTM container. The abuse of this legitimate Google service is concerning because it provides threat actors free infrastructure upon which they can host their scripts, enhancing their capability to avoid detection. The Magecart actors behind these increasingly popular attacks have posted at least 88,000 payment card records from these attacks to the dark web markets. Smaller e-commerce shops are the most common target since they often lack the resources or interest to design robust security systems.

The shift to e-commerce due to the COVID-19 pandemic has increased interest in CNP e-skimming activity. As the level of activity increases, so too does the level of effort to mask activity from automated scanners and security researchers. The use of a legitimate service offers an excellent opportunity to hide malicious scripts and thus maintain a foothold on victimized e-commerce sites.

Editor’s Note: This post was an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.