Google Tag Manager Used to Inject Web Skimmers on E-Commerce Sites

Analysts at Recorded Future have discovered that hackers are using Google Tag Manager (GTM) containers to inject electronic skimmers, which then steal credit card data and personal information from customers on e-commerce websites.

GTM is used on thousands of sites to collect various metrics, track customers, and for other marketing purposes. GTM uses containers to embed JavaScript and other resources on websites, and criminals have learned to hide malicious scripts inside GTM containers, allowing them to steal shoppers’ personal information.

In total, researchers found 569 e-commerce domains infected with web skimmers. According to the report, 314 of these were confirmed to be infected with GTM skimmers, while another 255 were sending stolen data to malicious domains associated with GTM abuse.

As of August 25, 2022, nearly 90 of these domains were still infected, and researchers say that, on average, it takes administrators more than three months to remediate the breach.

“Currently, data from more than 165,000 payment cards belonging to victims of attacks linked to GTM containers are being sold on card shops in the dark web,” the researchers wrote. “The total number of payment cards compromised via GTM web skimmers is likely even higher.”

Experts note that, based on discussions in the dark web, abuse of GTM began as early as 2018 and was already being used by various hacker groups at that time.

“We first reported on GTM abuse in a 2021 report, and GTM continues to be actively exploited to this day. In some cases, the same malicious GTM buckets reported last year are still being used. We believe that GTM exploitation will persist unless Google fixes the issue and implements active scanning to detect skimmer payloads inside GTM buckets,” the experts stated.

Recorded Future began tracking the exploitation of three variants of GTM skimmers back in March 2021 and notes that new infected domains have appeared every month since then.

Details on the Skimmer Variants

The first and third skimmer variants share certain similarities, suggesting they were created by the same hackers, who regularly update their tools to avoid detection.

“All three variants use separate skimmer scripts and domains to extract data. All three variants are currently being used in active infections and were deployed to infect new domains in August 2022, meaning all three pose a risk to e-commerce sites and their customers,” the researchers said.

It is also known that hackers are not only targeting “high-value” domains with over a million monthly visitors. Some of the attacked sites had as few as 10,000 visitors.

Most of the affected sites are based in the United States, accounting for over 66% of infections. Others were found in Canada, the United Kingdom, Argentina, India, Italy, Australia, Brazil, Greece, Indonesia, and other countries.