Recent cyber attacks have unveiled a new tactic by the notorious Magecart group, targeting online shoppers through Google Tag Manager (GTM). This development underscores a shift in digital theft strategies, where hackers inject harmful code into GTM containers to steal credit card information.
Understanding Google Tag Manager’s Role
Google Tag Manager is widely used by websites to manage marketing and analytics scripts, benefiting from the trust in its domain, googletagmanager.com. This trust is being exploited by cybercriminals who introduce fake GTM containers to deploy skimming scripts, thus capturing payment details without detection.
Security firm Sucuri has been following this campaign, identifying it as the work of a long-standing threat actor known as ATMZOW. This group, linked to Magecart since 2015, previously compromised numerous Magento-based stores, indicating a persistent and evolving threat.
The Scale and Impact of the Attacks
In 2023 alone, Sucuri’s SiteCheck scanner identified malicious GTM containers on 327 websites, with one container, GTM-WJV6J6, flagged 178 times before removal by Google. However, attackers quickly replace removed containers, continuing to infect new sites.
The deceptive nature of GTM scripts, which appear legitimate, makes them challenging to detect. Shoppers, unaware of the breach, enter their card information on seemingly secure sites, only to have their details intercepted by the attackers.
Technical Insights into the Skimmer Operation
The ATMZOW skimmer employs a series of obfuscated scripts within GTM containers to target payment pages specifically. This selective activation helps it avoid detection by automated security systems.
To evade tracking, the skimmer rotates between two domains from a pool of 40 newly registered names, using local storage to maintain consistency across visits. These domains, registered through Hostinger, blend in with analytics-style names, complicating efforts to map the full infrastructure.
The skimmer’s resilience is further enhanced by a custom decoding mechanism, which resists modification and automated analysis. Even after Google removed a compromised container, ATMZOW swiftly introduced replacements, demonstrating their adaptability.
Conclusion and Future Outlook
The ongoing evolution of the Magecart group’s tactics highlights the need for vigilance among website operators and consumers alike. The complexity of these attacks necessitates advanced security measures to detect and mitigate threats effectively.
As attackers continue to refine their methods, it is crucial for e-commerce platforms and their users to stay informed about emerging threats and adapt their defenses accordingly. Regular security audits and monitoring of GTM scripts can help protect against these sophisticated skimming operations.
