Gemini analysts have identified 316 e-commerce sites worldwide infected with trojanized Google Tag Manager (GTM) containers as part of an ongoing Magecart campaign. This tactic has become increasingly popular this year.
The abuse of this legitimate Google service is concerning because it provides threat actors free infrastructure upon which they can host their malicious scripts, while also granting enhanced capability to avoid detection.
The Magecart actors behind these attacks have posted at least 88,000 payment card records from these attacks to the dark web marketplaces. This aligns with the increasing interest in Card Not Present (CNP) e-skimming activity during the COVID-19 pandemic.
As the level of activity increases, so too does the level of effort to mask the activity from automated scanners and security researchers. The use of a legitimate service offers an excellent opportunity to hide malicious scripts and thus maintain a foothold on victimized e-commerce sites.
The abuse of this legitimate Google service is concerning because it provides threat actors free infrastructure upon which they can host their scripts, while also granting enhanced capability to avoid detection. The Magecart actors behind these attacks have posted at least 88,000 payment card records from these attacks to the dark web markets.
Magecart attacks abusing Google services have become increasingly popular since 2020. This tactic offers discretion to hackers since Google is legitimate and widely used, so many security policies automatically trust its data. In June 2020, a Google spokesperson claimed to be searching for unauthorized uses of Google Analytics products to suspend, although the scale of the abuse often outpaces preventative security policies. Smaller e-commerce shops are the most common target since they often lack the resources or interest to design robust security systems.
GTM Container Abuse
The GTM platform provides web authors a means to update measurement codes and other code fragments on their websites or mobile applications. The GTM website (tagmanager.google.com) provides a web-based interface to create and manage GTM containers. GTM containers provide a perfect malware delivery system ripe for abuse by Magecart actors because:
The typically legitimate use of GTM containers means that web application firewalls (WAFs) often do not block web traffic from GTM containers
Malicious payloads hidden within GTM containers can avoid detection by security software
The second variant, observed in February 2021, uses a single GTM container across all victims, and this container houses a script that loads the actual e-skimmer script from a separate dual-use domain (a domain used to both host e-skimmer scripts and receive exfiltrated payment card data). Gemini found seven malicious dual-use domains that have been used with this container.
Gemini has identified more than 88,000 stolen payment card records linked to these two GTM variants. They were posted to a single top-tier dark web CNP marketplace. Due to the large number of victims, additional records from both campaigns will likely continue to appear on this marketplace.
Variant 1: e-Skimmer Embedded in GTM Container
Overview and Impact
Gemini discovered 201 e-commerce sites infected with Magecart e-skimmers hosted within GTM containers since March 2021. The script within most of these GTM containers collects identifiers and data from HTML input, select,and textarea elements; encodes this information with base64; and sends it to an exfiltration URL. The exfiltration URLs were hosted on domains masquerading as Google sites through the use of typosquatting and top-level domain (TLD) substitution (e.g., using .net versus .com). The vast majority of websites infected with this variant of GTM e-skimmer were hosted in the United States. The top five victims of this attack variant (by Alexa Rank) are listed in the table below.
Image 1: Chart showing distribution of victims by web host country.
A majority of the victims were based on the Magento platform, with version 2 being the most common. Magento has historically been a very popular target for Magecart attacks; Gemini has previously reported that 85% of the “Keeper” Magecart group’s victims used Magento. As the Magento model favors installation and management of the e-commerce site on the merchant’s own infrastructure, security and updating also falls on the merchant’s information technology (IT) team. Many of these small merchants do not have dedicated IT personnel, which often results in unpatched systems that are vulnerable to compromise. These systems are also less likely to see security scans that would likely identify vulnerabilities and infections.
Image 2: Chart showing distribution of victims by e-commerce platform.
Indicators of Compromise
The e-commerce sites infected with the first variant that Gemini initially analyzed had Magecart e-skimmers hosted in GTM containers with scripts that collected identifiers and data from HTML input, select,and textarea elements. This information was base64-encoded and then sent to exfiltration URLs hosted on domains masquerading as Google sites through typosquatting and TLD substitution. The images below include the indicators of compromise in these attacks.
Image 3: Screenshot of a loader script injected into a victim e-commerce site (Woodshop Products’ site selling Mohawk Wood goods) being used to construct and load the URL for a container hosted on GTMr.
In the screenshot above, Magecart actors injected a script tag containing the loader for the GTM container e-skimmer. The script constructs the full GTM URL and uses it to retrieve the container.
Image 4: Screenshot of the e-skimmer script embedded in the GTM container.
Image 5: Screenshot of network traffic showing the e-skimmer script sending stolen form data to the exfiltration URL.
Image 5 shows the HTTP traffic generated by the e-skimmer when a cardholder invokes the checkout routine on an infected e-commerce site. The highlighted box on the left of the image shows the structure of the HTTP POST sent to the exfiltration URL (googleadwordstrack[.]com). The two boxes on the right of the image show the encoded and decoded versions of the stolen data.
Analysts identified six exfiltration domains used by the e-skimmers that were implanted into GTM containers. The first seen dates reflect the earliest known date of infection for websites set to communicate to the respective exfiltration domain. All six exfiltration domains are currently being used for active infections.
Infected Victim Domains
Infection First Seen Date
Infection Last Seen Date
Analysis revealed that 201 e-commerce domains sent stolen data to the above exfiltration domains.
Variant 2: GTM Container Uses Dual-Use Domain
Gemini discovered a second GTM container exploitation technique in May 2021, wherein the Magecart actors used a single GTM container (GTM-5SF293J) to infect 85 e-commerce domains. This external domain operates as a dual-use domain, which means that it is responsible for both hosting the e-skimmer script (e-skimmer domain) and receiving exfiltrated data (exfiltration domain). The United States was also the top host country for victims of the GTM container variant using this dual-use domain technique. The top five victims of this attack variant (by Alexa Rank) are listed in the table below.
Image 6: Chart showing distribution of victims by web host country for those countries with two or more victims. France, Indonesia, South Africa, Canada, Pakistan, Thailand, Belgium, Cyprus, Vietnam, the Philippines, Angola, Malaysia, and Romania each had one victim.
A majority of the victims were based on the Magento platform, with version 2 being the most common.
Image 7: Chart showing distribution of victims by e-commerce platform.
Indicators of Compromise
In this dual-use domain variant, the single GTM container houses an obfuscated script that ultimately loads an e-skimmer script from an external domain. Since the external domain is a dual-use domain, it both hosts the e-skimmer script and receives exfiltrated data. Notably, over the past eight months, the actors have repeatedly replaced the specific dual-use domain housed in the container with a new domain, enabling the actors to update the e-skimmer scripts affecting all victims without directly accessing the infected sites or modifying a large set of separate GTM containers.
Analysts originally found 85 domains where this infection technique was used, and have since discovered an additional 30 victim domains. There have been a total of 115 known victims of this variant to date.
Image 8: Screenshot of a loader script injected into a victim e-commerce site (501 Parts.com) being used to construct and load the URL for a container hosted on GTM.
Similar to Variant 1 in which the e-skimmer script is embedded in the GTM container, the Magecart actors inject a script tag containing the loader for the GTM container e-skimmer into the infected pages. The script constructs the full GTM URL and uses it to retrieve the container. However, in contrast to Variant 1, the GTM containers used for Variant 2 do not contain the actual e-skimmer script but instead contain scripts that load the e-skimmer from a dual-use domain.
Image 9: Screenshot of GTM container with the URL that hosts the e-skimmer script highlighted.
Image 10: Screenshot of GTM container that obfuscates the URL used to host the e-skimmer script.
Analysts captured a sample of the payment form data being sent to the dual-use URL over the WebSocket connection. As the script encodes the data via base64 prior transmission, the listing below has been decoded for viewability.
As noted above, the Magecart actors behind this attack have changed the dual-use domain housed in the GTM container six times during the analysis window. The actors used the dual-use domains listed below, with the URL on ganalitis[.]com being the currently active variant.
Domain Creation Datetime
Separate Variants, Separate Magecart Groups?
Although the two GTM container variants involve similar tactics—storing e-skimmers within GTM containers or housing scripts in GTM containers that load e-skimmers from dual-use domains—analysis of the two variants suggest that two different Magecart groups are responsible for each variant.
Gemini has attributed all of the infections associated with Variant 1 (storing e-skimmers within GTM containers) to a single Magecart group because all of the infections:
Use the exact same e-skimmer script and unobfuscated loader scripts
Place the injected scripts in a similar location on victimized e-commerce sites
Send stolen data to one of six exfiltration domains with domain names that all use the term “google” combined with legitimate-appearing text (“tagstorage”, “trackevent”, etc.)
Gemini has attributed all of the infections associated with Variant 2 (housing scripts in GTM containers that load e-skimmers from dual-use domains) to a separate Magecart group because all of the infections:
Use the same GTM container (actors have swapped out the dual-use domain associated with the GTM container six times, but the GTM container has remained constant)
Transfer data via WebSocket connections
Use the exact same e-skimmer script (but different than Variant 1 script)
It appears highly likely that the two contemporaneous variants are used by two different Magecart groups because they use different e-skimmer scripts, exfiltration domains, and only Variant 2 employs WebSocket connections.
The shift to e-commerce due to the COVID-19 pandemic has increased interest in CNP e-skimming activity. As the level of activity increases, so too does the level of effort to mask the activity from automated scanners and security researchers. The use of a legitimate service offers an excellent opportunity to hide malicious scripts and thus maintain a foothold on victimized e-commerce sites.
The GTM container e-skimmer variant utilized a simple “grab everything” approach to collecting data from web forms and attempted to mask its data exfiltration by using familiar domain names. Once infected with either of the GTM variants, malicious actors are afforded the ability to modify their attack infrastructure without being required to access the victim server. This offers a significant means for remaining undetected when changes are required due to issues such as defects in the skimmer and remediation of secondary loaders or exfiltration URLs.
Despite the fact that two separate groups appear responsible for each variant, the vast majority of payment card records that are stolen with either GTM container variant have later been offered for sale on the above-mentioned top-tier CNP marketplace.
Gemini Advisory Mission Statement
Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.