Google tool for e-commerce sites abused by hackers who steal card data, personal information

According to a new report from Recorded Future, hackers are abusing Google’s Tag Manager (GTM) containers to install malicious e-skimmers that steal payment card data and personally identifiable information from shoppers on e-commerce sites.

Thousands of e-commerce sites use Google Tag Manager containers for data on website usage metrics, customer tracking, and for marketing purposes.

But experts at Recorded Future have found three prominent variants of malicious scripts that cybercriminals hide in GTM containers that allow them to exfiltrate buyers’ personal information.

“As of this writing, over 165,000 payment card records attributed to victims of abusive GTM container attacks have been posted to dark online card stores,” the researchers said. “The total number of payment cards compromised via GTM-based e-skimmers is likely higher.” The Record is an independent editorial unit of Recorded Future.

Researchers found 569 e-commerce domains infected with e-skimmers. According to the report, 314 were confirmed to have been infected with a GTM-based e-skimmer variant while 255 had infections that exfiltrated stolen data to malicious domains associated with GTM abuse.

Nearly 90 of these e-commerce domains were still infected as of August 25, and on average the researchers found that it took more than three months for the infections to be fixed.

Image: Saved Future

Stas Alforov, director of fraud research at Recorded Future, said that based on dark web conversations, GTM abuse dates back to 2018 and has been used by a variety of cybercriminals.

“We first highlighted the use of GTM in a report in 2021, and it has continued to be actively used to this day, in some cases still using the same malicious GTM buckets made public last year” , Alforov said. “As such, we believe that GTM usage will remain unchanged unless Google addresses this by implementing active scanning of skimmer payloads inside GTM-hosted buckets.”

Google did not respond to requests for comment, but in 2016 the company launched automated malware detection for GTM containers to combat abuse. This effort was quickly circumvented by hackers, who expanded their efforts to install cryptojackers, according to The Register.

Cybersecurity firm Sucuri has also previously found “rogue” advertisements placed on websites through alleged abuse of GTM containers.

By abusing legitimate tools like GTM, hackers can avoid security software that often does not scan GTM containers, as website administrators usually whitelist trusted source domains, especially those from Google .

Recorded Future said it began tracking usage of the three GTM-based e-skimmer variants since March 2021 and noted that newly infected e-commerce domains have been observed every month since then.

The first and third variants found by the researchers have similarities that suggest they can be used by the same cybercriminals, indicating that hackers are updating their tools to avoid detections.

“All 3 variants use separate e-skimmer scripts and exfiltration domains. All 3 variants are currently in use for active infections and were deployed to infect new e-commerce domains in August 2022, indicating that the 3 variants pose an active risk to e-commerce websites and their customers – and by extension, to financial institutions and card networks,” the researchers said.

When the researchers examined the attacks, they found that the hackers did not exclusively target “high-value” e-commerce domains with over one million monthly visitors. Some of the sites that were abused only saw around 10,000 visitors per month.

Most websites are based in the United States, which accounts for over 66% of infections. The others were based in Canada, the UK, Argentina, India, Italy, Australia, Brazil, Greece, Indonesia and elsewhere.

Alforov said it was common for malicious actors to abuse a wide variety of legitimate web services and platforms, citing previous attacks on Google’s analytics service.

“We were surprised to see the abuse of GTM containers given the previous abuse of Google Analytics,” Alforov explained. “Also, the use of similar domains in some of the variants was odd because most large companies use lookalike detection and remediation activities for security and brand protection reasons.”

Recorded Future suggested that e-commerce sites perform a full scan of the files used in their web pages to detect any unauthorized modification.

Image: Saved Future

According to the researchers, hackers are likely to continue to take advantage of these publicly available, and often free, services in an effort to keep infections going.

This type of abuse also allows hackers to avoid detection and remain anonymous, the report adds.

“As security tools can be configured to conserve resources by whitelisting files hosted on ‘trusted’ source domains, this same optimization may fail for e-commerce websites, leaving websites open to exploitation and persistent infection by malicious files,” the researchers said. said.

“Abuse of GTM containers also allows threat actors to update Magecart campaign infrastructure and software without needing to access the victimized server.”

Jonathan has worked around the world as a journalist since 2014. Before returning to New York, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.