Gemini company logo
Blog

Magecart Groups Abuse Google Tag Manager

Magecart Groups Abuse Google Tag Manager

12/06/2021

Key Findings

  • Gemini analysts have identified 316 e-commerce sites worldwide infected with trojanized Google Tag Manager (GTM) containers as part of an ongoing Magecart campaign. This tactic has become increasingly popular this year.
  • The abuse of this legitimate Google service is concerning because it provides threat actors free infrastructure upon which they can host their malicious scripts, while also granting enhanced capability to avoid detection.
  • The Magecart actors behind these attacks have posted at least 88,000 payment card records from these attacks to the dark web marketplaces. This aligns with the increasing interest in Card Not Present (CNP) e-skimming activity during the COVID-19 pandemic.
  • As the level of activity increases, so too does the level of effort to mask the activity from automated scanners and security researchers. The use of a legitimate service offers an excellent opportunity to hide malicious scripts and thus maintain a foothold on victimized e-commerce sites.

Background

Gemini analysts continue to identify Magecart campaigns that target numerous e-commerce sites worldwide. Since February 4, 2021, analysts have observed 316 e-commerce sites infected with trojanized Google Tag Manager (GTM) containers. This technique capitalizes on the ability to place JavaScript within the GTM container. Gemini has observed two variants that abuse GTM containers: one that embeds the malicious e-skimmer script in the container and another that uses the container to download the actual e-skimmer script from a separate dual-use domain.

The abuse of this legitimate Google service is concerning because it provides threat actors free infrastructure upon which they can host their scripts, while also granting enhanced capability to avoid detection. The Magecart actors behind these attacks have posted at least 88,000 payment card records from these attacks to the dark web markets.

Magecart attacks abusing Google services have become increasingly popular since 2020. This tactic offers discretion to hackers since Google is legitimate and widely used, so many security policies automatically trust its data. In June 2020, a Google spokesperson claimed to be searching for unauthorized uses of Google Analytics products to suspend, although the scale of the abuse often outpaces preventative security policies. Smaller e-commerce shops are the most common target since they often lack the resources or interest to design robust security systems.

In-Depth Analysis

GTM Container Abuse

The GTM platform provides web authors a means to update measurement codes and other code fragments on their websites or mobile applications. The GTM website (tagmanager.google.com) provides a web-based interface to create and manage GTM containers. GTM containers provide a perfect malware delivery system ripe for abuse by Magecart actors because:

  • JavaScript can be embedded inside GTM containers and is executed when a browser loads the link to a container
  • The typically legitimate use of GTM containers means that web application firewalls (WAFs) often do not block web traffic from GTM containers
  • Malicious payloads hidden within GTM containers can avoid detection by security software

Gemini has recently observed two variations of Magecart e-skimming attacks conducted through the abuse of GTM containers. The first variant, discovered in March 2021, embeds e-skimmer JavaScript directly into the GTM container. Gemini has identified 201 victims of this attack to date.

The second variant, observed in February 2021, uses a single GTM container across all victims, and this container houses a script that loads the actual e-skimmer script from a separate dual-use domain (a domain used to both host e-skimmer scripts and receive exfiltrated payment card data). Gemini found seven malicious dual-use domains that have been used with this container.

Gemini has identified more than 88,000 stolen payment card records linked to these two GTM variants. They were posted to a single top-tier dark web CNP marketplace. Due to the large number of victims, additional records from both campaigns will likely continue to appear on this marketplace.

Variant 1: e-Skimmer Embedded in GTM Container 

Overview and Impact

Gemini discovered 201 e-commerce sites infected with Magecart e-skimmers hosted within GTM containers since March 2021. The script within most of these GTM containers collects identifiers and data from HTML input, select, and textarea elements; encodes this information with base64; and sends it to an exfiltration URL. The exfiltration URLs were hosted on domains masquerading as Google sites through the use of typosquatting and top-level domain (TLD) substitution (e.g., using .net versus .com). The vast majority of websites infected with this variant of GTM e-skimmer were hosted in the United States. The top five victims of this attack variant (by Alexa Rank) are listed in the table below.

e-Commerce Site Country Alexa Rank
mooseknucklescanada.com Canada 74,439
nunababy.com Germany 87,210
flashingblinkylights.com United States 87,525
pfiwestern.com United States 89,803
baytonia.com Saudi Arabia 94,285

Image 1: Chart showing distribution of victims by web host country.

A majority of the victims were based on the Magento platform, with version 2 being the most common. Magento has historically been a very popular target for Magecart attacks; Gemini has previously reported that 85% of the “Keeper” Magecart group’s victims used Magento. As the Magento model favors installation and management of the e-commerce site on the merchant’s own infrastructure, security and updating also falls on the merchant’s information technology (IT) team. Many of these small merchants do not have dedicated IT personnel, which often results in unpatched systems that are vulnerable to compromise. These systems are also less likely to see security scans that would likely identify vulnerabilities and infections.

Image 2: Chart showing distribution of victims by e-commerce platform.

Indicators of Compromise

The e-commerce sites infected with the first variant that Gemini initially analyzed had Magecart e-skimmers hosted in GTM containers with scripts that collected identifiers and data from HTML input, select, and textarea elements. This information was base64-encoded and then sent to exfiltration URLs hosted on domains masquerading as Google sites through typosquatting and TLD substitution. The images below include the indicators of compromise in these attacks.

Image 3: Screenshot of a loader script injected into a victim e-commerce site (Woodshop Products’ site selling Mohawk Wood goods) being used to construct and load the URL for a container hosted on GTMr.

In the screenshot above, Magecart actors injected a script tag containing the loader for the GTM container e-skimmer. The script constructs the full GTM URL and uses it to retrieve the container.

Image 4: Screenshot of the e-skimmer script embedded in the GTM container.

The e-skimmer source code is hidden within the GTM container. The image above highlights key elements of the e-skimmer JavaScript, namely (top to bottom): the setting of the form action to the exfiltration URL; the routine that finds and collects information from input, select, and textarea elements; and the checkout URL trigger #payment_form_payflowpro used to initiate the e-skimmer routine.

Image 5: Screenshot of network traffic showing the e-skimmer script sending stolen form data to the exfiltration URL.

Image 5 shows the HTTP traffic generated by the e-skimmer when a cardholder invokes the checkout routine on an infected e-commerce site. The highlighted box on the left of the image shows the structure of the HTTP POST sent to the exfiltration URL (googleadwordstrack[.]com). The two boxes on the right of the image show the encoded and decoded versions of the stolen data.

Analysts identified six exfiltration domains used by the e-skimmers that were implanted into GTM containers. The first seen dates reflect the earliest known date of infection for websites set to communicate to the respective exfiltration domain. All six exfiltration domains are currently being used for active infections.

Exfiltration Domain Infected Victim Domains Infection First Seen Date Infection Last Seen Date
googleadwordstrack[.]com 77 03/17/2021 11/09/2021
googletrackevent[.]com 53 03/17/2021 11/09/2021
googleadwordswidget[.]com 26 03/17/2021 11/09/2021
googletagstorage[.]com 21 03/30/2021 11/09/2021
googletagswidget[.]com 17 08/24/2021 11/09/2021
googletagwidgets[.]com 7 08/27/2021 11/09/2021

Analysis revealed that 201 e-commerce domains sent stolen data to the above exfiltration domains.

Variant 2: GTM Container Uses Dual-Use Domain

Gemini discovered a second GTM container exploitation technique in May 2021, wherein the Magecart actors used a single GTM container (GTM-5SF293J) to infect 85 e-commerce domains. This external domain operates as a dual-use domain, which means that it is responsible for both hosting the e-skimmer script (e-skimmer domain) and receiving exfiltrated data (exfiltration domain). The United States was also the top host country for victims of the GTM container variant using this dual-use domain technique. The top five victims of this attack variant (by Alexa Rank) are listed in the table below.

e-Commerce Site Host Country Alexa Rank
nwzonline.de Germany 37,269
binisilvia.com Italy 57,264
souqtime.com United Arab Emirates 78,172
cobbtuning.com United States 91,629
beatrizfranck.com Angola 178,687

Image 6: Chart showing distribution of victims by web host country for those countries with two or more victims. France, Indonesia, South Africa, Canada, Pakistan, Thailand, Belgium, Cyprus, Vietnam, the Philippines, Angola, Malaysia, and Romania each had one victim.

A majority of the victims were based on the Magento platform, with version 2 being the most common.

Image 7: Chart showing distribution of victims by e-commerce platform.

Indicators of Compromise

In this dual-use domain variant, the single GTM container houses an obfuscated script that ultimately loads an e-skimmer script from an external domain. Since the external domain is a dual-use domain, it both hosts the e-skimmer script and receives exfiltrated data. Notably, over the past eight months, the actors have repeatedly replaced the specific dual-use domain housed in the container with a new domain, enabling the actors to update the e-skimmer scripts affecting all victims without directly accessing the infected sites or modifying a large set of separate GTM containers.

Analysts originally found 85 domains where this infection technique was used, and have since discovered an additional 30 victim domains. There have been a total of 115 known victims of this variant to date.

Image 8: Screenshot of a loader script injected into a victim e-commerce site (501 Parts.com) being used to construct and load the URL for a container hosted on GTM. 

Similar to Variant 1 in which the e-skimmer script is embedded in the GTM container, the Magecart actors inject a script tag containing the loader for the GTM container e-skimmer into the infected pages. The script constructs the full GTM URL and uses it to retrieve the container. However, in contrast to Variant 1, the GTM containers used for Variant 2 do not contain the actual e-skimmer script but instead contain scripts that load the e-skimmer from a dual-use domain.

Image 9: Screenshot of GTM container with the URL that hosts the e-skimmer script highlighted.

Image 10: Screenshot of GTM container that obfuscates the URL used to host the e-skimmer script.

As can be seen in Image 9, the variable vtp_html, within the tags section, holds an HTML <script> element that asynchronously loads the URL (statcs[.]com/favicon) from the dual-use domain that hosts the actual e-skimmer script. In Image 10, the variable vtp_html also holds a <script> element, but this version is more complex as it uses a deobfuscation routine on a set of variables to reconstruct the URL (ganalitis[.]com/refresh). Both variants of vtp_html result in the loading of the JavaScript in Image 11.

Image 11: Screenshot of the JavaScript loaded upon execution of the script link housed in the GTM container.

Analysts captured a sample of the payment form data being sent to the dual-use URL over the WebSocket connection. As the script encodes the data via base64 prior transmission, the listing below has been decoded for viewability.

{“info”:”null=4&form_key=il1y7byeHKLsNxTu&captcha_form_id=user_login&context=checkout&username=john.doe@email.com&captcha_form_id=user
_login&context=checkout&firstname=John&lastname=Doe&company=Trump%20Tower&street%5B0%5D=725%205th%20Ave&city=New%20York&region
_id=43&postcode=10022&country_id=US&telephone=+12123361440&ko_unique_13=freeshipping_freeshipping&ko_unique_14=flatrate_flatrate&ko_
unique_15=usps_3&ko_unique_16=ups_02&ko_unique_17=ups_01&form_key=il1y7byeHKLsNxTu&captcha_form_id=payment_processing_request&
payment%5Bmethod%5D=authorizenet_directpost&billing-address-same-as-shipping=on&country_id=US&payment%5Bcc_type%5D=MC&payment%
5Bcc_number%5D=5555555555555557&payment%5Bcc_exp_month%5D=5&payment%5Bcc_exp_year%5D=2025&payment%5Bcc_cid%5D=563&
payment%5Bmethod%5D=paypal_express&=Apply%20Discount&captcha_form_id=sales_rule_coupon_request&captcha_form_id=user_login&context=
checkout&”,”hostname”:”nelsonuniform_com”,”key”:”1620313981929-818276572″}

As noted above, the Magecart actors behind this attack have changed the dual-use domain housed in the GTM container six times during the analysis window. The actors used the dual-use domains listed below, with the URL on ganalitis[.]com being the currently active variant.

Dual-Use URL Dual-Use Domain Domain Creation Datetime
hxxps://www[.]ganalitis[.].com/refresh ganalitis[.]com 2021-10-21T11:05:05Z
hxxps://www[.]ganalitics[.].com/favicon ganalitics[.]com 2021-06-03T12:17:07Z
hxxps://www[.]gstatcs[.]com/favicon gstatcs[.]com 2021-04-15T13:53:05Z
hxxps://webfaset[.]com/str[.]css webfaset[.]com 2021-04-13T10:46:06Z
hxxps://fountm[.]online/str[.]css fountm[.]online 2021-04-07T09:13:51Z
hxxps://pixupjqes[.]tech/str[.]css pixupjqes[.]tech 2021-04-05T07:08:10Z
hxxps://jqwereid[.]online/str[.]css jqwereid[.]online 2021-03-26T08:08:14Z

Separate Variants, Separate Magecart Groups?

Although the two GTM container variants involve similar tactics—storing e-skimmers within GTM containers or housing scripts in GTM containers that load e-skimmers from dual-use domains—analysis of the two variants suggest that two different Magecart groups are responsible for each variant.

Gemini has attributed all of the infections associated with Variant 1 (storing e-skimmers within GTM containers) to a single Magecart group because all of the infections:

  • Use the exact same e-skimmer script and unobfuscated loader scripts
  • Place the injected scripts in a similar location on victimized e-commerce sites
  • Send stolen data to one of six exfiltration domains with domain names that all use the term “google” combined with legitimate-appearing text (“tagstorage”, “trackevent”, etc.)

Gemini has attributed all of the infections associated with Variant 2 (housing scripts in GTM containers that load e-skimmers from dual-use domains) to a separate Magecart group because all of the infections:

  • Use the same GTM container (actors have swapped out the dual-use domain associated with the GTM container six times, but the GTM container has remained constant)
  • Transfer data via WebSocket connections
  • Use the exact same e-skimmer script (but different than Variant 1 script)

It appears highly likely that the two contemporaneous variants are used by two different Magecart groups because they use different e-skimmer scripts, exfiltration domains, and only Variant 2 employs WebSocket connections.

Conclusion

The shift to e-commerce due to the COVID-19 pandemic has increased interest in CNP e-skimming activity. As the level of activity increases, so too does the level of effort to mask the activity from automated scanners and security researchers. The use of a legitimate service offers an excellent opportunity to hide malicious scripts and thus maintain a foothold on victimized e-commerce sites.

The GTM container e-skimmer variant utilized a simple “grab everything” approach to collecting data from web forms and attempted to mask its data exfiltration by using familiar domain names. Once infected with either of the GTM variants, malicious actors are afforded the ability to modify their attack infrastructure without being required to access the victim server. This offers a significant means for remaining undetected when changes are required due to issues such as defects in the skimmer and remediation of secondary loaders or exfiltration URLs.

Despite the fact that two separate groups appear responsible for each variant, the vast majority of payment card records that are stolen with either GTM container variant have later been offered for sale on the above-mentioned top-tier CNP marketplace.

Gemini Advisory Mission Statement

Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.

Choose your region:

Choose your state:

Book a Demo
This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services

Allow all cookies