# Magecart Groups Abuse Google Tag Manager

**geminiadvisory.io/magecart-google-tag-manager/**

12/06/2021

## Key Findings


December 6, 2021


Gemini analysts have identified 316 e-commerce sites worldwide infected with trojanized Google Tag Manager (GTM) containers as part
of an ongoing Magecart campaign. This tactic has become increasingly popular this year.
The abuse of this legitimate Google service is concerning because it provides threat actors free infrastructure upon which they can host
their malicious scripts, while also granting enhanced capability to avoid detection.
The Magecart actors behind these attacks have posted at least 88,000 payment card records from these attacks to the dark web
marketplaces. This aligns with the increasing interest in Card Not Present (CNP) e-skimming activity during the COVID-19 pandemic.
As the level of activity increases, so too does the level of effort to mask the activity from automated scanners and security researchers.
The use of a legitimate service offers an excellent opportunity to hide malicious scripts and thus maintain a foothold on victimized ecommerce sites.

## Background

Gemini analysts continue to identify Magecart campaigns that target numerous e-commerce sites worldwide. Since February 4, 2021, analysts
have observed 316 e-commerce sites infected with trojanized Google Tag Manager (GTM) containers. This technique capitalizes on the ability
to place JavaScript within the GTM container. Gemini has observed two variants that abuse GTM containers: one that embeds the malicious eskimmer script in the container and another that uses the container to download the actual e-skimmer script from a separate dual-use domain.

The abuse of this legitimate Google service is concerning because it provides threat actors free infrastructure upon which they can host their
scripts, while also granting enhanced capability to avoid detection. The Magecart actors behind these attacks have posted at least 88,000
payment card records from these attacks to the dark web markets.

[Magecart attacks abusing Google services have become increasingly popular since 2020. This tactic offers discretion to hackers since Google](https://arstechnica.com/information-technology/2020/06/google-analytics-trick-allows-crooks-to-hide-card-skimming/)
is legitimate and widely used, so many security policies automatically trust its data. In June 2020, a Google spokesperson claimed to be
searching for unauthorized uses of Google Analytics products to suspend, although the scale of the abuse often outpaces preventative security


-----

po c es S a e e co e ce s ops a e t e ost co o ta get s ce t ey o te ac t e esou ces o te est to des g obust secu ty
systems.

## In-Depth Analysis

**GTM Container Abuse**

The GTM platform provides web authors a means to update measurement codes and other code fragments on their websites or mobile
[applications. The GTM website (tagmanager.google.com) provides a web-based interface to create and manage GTM containers. GTM](https://tagmanager.google.com/)
containers provide a perfect malware delivery system ripe for abuse by Magecart actors because:

JavaScript can be embedded inside GTM containers and is executed when a browser loads the link to a container
The typically legitimate use of GTM containers means that web application firewalls (WAFs) often do not block web traffic from GTM
containers
Malicious payloads hidden within GTM containers can avoid detection by security software

Gemini has recently observed two variations of Magecart e-skimming attacks conducted through the abuse of GTM containers. The first
variant, discovered in March 2021, embeds e-skimmer JavaScript directly into the GTM container. Gemini has identified 201 victims of this
attack to date.

The second variant, observed in February 2021, uses a single GTM container across all victims, and this container houses a script that loads
the actual e-skimmer script from a separate dual-use domain (a domain used to both host e-skimmer scripts and receive exfiltrated payment
card data). Gemini found seven malicious dual-use domains that have been used with this container.

Gemini has identified more than 88,000 stolen payment card records linked to these two GTM variants. They were posted to a single top-tier
dark web CNP marketplace. Due to the large number of victims, additional records from both campaigns will likely continue to appear on this
marketplace.

**Variant 1: e-Skimmer Embedded in GTM Container**

**Overview and Impact**

Gemini discovered 201 e-commerce sites infected with Magecart e-skimmers hosted within GTM containers since March 2021. The script
within most of these GTM containers collects identifiers and data from HTML input, select, and textarea elements; encodes this information
with base64; and sends it to an exfiltration URL. The exfiltration URLs were hosted on domains masquerading as Google sites through the use
of typosquatting and top-level domain (TLD) substitution (e.g., using .net versus .com). The vast majority of websites infected with this variant
of GTM e-skimmer were hosted in the United States. The top five victims of this attack variant (by Alexa Rank) are listed in the table below.

**e-Commerce Site** **Country** **Alexa Rank**

[mooseknucklescanada.com](http://mooseknucklescanada.com/) Canada 74,439

[nunababy.com](http://nunababy.com/) Germany 87,210

[flashingblinkylights.com](http://flashingblinkylights.com/) United States 87,525

[pfiwestern.com](http://pfiwestern.com/) United States 89,803

[baytonia.com](http://baytonia.com/) Saudi Arabia 94,285

Image 1: Chart showing distribution of victims by web host country.

A majority of the victims were based on the Magento platform, with version 2 being the most common. Magento has historically been a very
[popular target for Magecart attacks; Gemini has previously reported that 85% of the “Keeper” Magecart group’s victims used Magento. As the](https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/?swcfpc=1)
Magento model favors installation and management of the e-commerce site on the merchant’s own infrastructure security and updating also


-----

a s o t e e c a t s o at o tec o ogy ( ) tea a y o t ese s a e c a ts do ot a e ded cated pe so e, c o te
results in unpatched systems that are vulnerable to compromise. These systems are also less likely to see security scans that would likely
identify vulnerabilities and infections.

Image 2: Chart showing distribution of victims by e-commerce platform.

**Indicators of Compromise**

The e-commerce sites infected with the first variant that Gemini initially analyzed had Magecart e-skimmers hosted in GTM containers with
scripts that collected identifiers and data from HTML input, select, and textarea elements. This information was base64-encoded and then sent
to exfiltration URLs hosted on domains masquerading as Google sites through typosquatting and TLD substitution. The images below include
the indicators of compromise in these attacks.

[Image 3: Screenshot of a loader script injected into a victim e-commerce site (Woodshop Products’ site selling Mohawk Wood goods) being](https://www.woodshopproducts.com/)
used to construct and load the URL for a container hosted on GTMr.

In the screenshot above, Magecart actors injected a script tag containing the loader for the GTM container e-skimmer. The script constructs
the full GTM URL and uses it to retrieve the container.

Image 4: Screenshot of the e-skimmer script embedded in the GTM container.

The e-skimmer source code is hidden within the GTM container. The image above highlights key elements of the e-skimmer JavaScript,
namely (top to bottom): the setting of the form action to the exfiltration URL; the routine that finds and collects information from input, select,
and textarea elements; and the checkout URL trigger #payment_form_payflowpro used to initiate the e-skimmer routine.


-----

Image 5: Screenshot of network traffic showing the e-skimmer script sending stolen form data to the exfiltration URL.

Image 5 shows the HTTP traffic generated by the e-skimmer when a cardholder invokes the checkout routine on an infected e-commerce site.
The highlighted box on the left of the image shows the structure of the HTTP POST sent to the exfiltration URL (googleadwordstrack[.]com).
The two boxes on the right of the image show the encoded and decoded versions of the stolen data.

Analysts identified six exfiltration domains used by the e-skimmers that were implanted into GTM containers. The first seen dates reflect the
earliest known date of infection for websites set to communicate to the respective exfiltration domain. All six exfiltration domains are currently
being used for active infections.

**Exfiltration Domain** **Infected Victim Domains** **Infection First Seen Date** **Infection Last Seen Date**

googleadwordstrack[.]com 77 03/17/2021 11/09/2021

googletrackevent[.]com 53 03/17/2021 11/09/2021

googleadwordswidget[.]com 26 03/17/2021 11/09/2021

googletagstorage[.]com 21 03/30/2021 11/09/2021

googletagswidget[.]com 17 08/24/2021 11/09/2021

googletagwidgets[.]com 7 08/27/2021 11/09/2021

Analysis revealed that 201 e-commerce domains sent stolen data to the above exfiltration domains.

**Variant 2: GTM Container Uses Dual-Use Domain**

Gemini discovered a second GTM container exploitation technique in May 2021, wherein the Magecart actors used a single GTM container
(GTM-5SF293J) to infect 85 e-commerce domains. This external domain operates as a dual-use domain, which means that it is responsible for
both hosting the e-skimmer script (e-skimmer domain) and receiving exfiltrated data (exfiltration domain). The United States was also the top
host country for victims of the GTM container variant using this dual-use domain technique. The top five victims of this attack variant (by Alexa
Rank) are listed in the table below.

**e-Commerce Site** **Host Country** **Alexa Rank**

[nwzonline.de](https://www.nwzonline.de/) Germany 37,269

[binisilvia.com](http://binisilvia.com/) Italy 57,264

[souqtime.com](http://souqtime.com/) United Arab Emirates 78,172

[cobbtuning.com](https://geminiadvisory.io/magecart-google-tag-manager/cobbtuning.com) United States 91,629

[beatrizfranck.com](http://beatrizfranck.com/) Angola 178,687


-----

Image 6: Chart showing distribution of victims by web host country for those countries with two or more victims. France, Indonesia, South
Africa, Canada, Pakistan, Thailand, Belgium, Cyprus, Vietnam, the Philippines, Angola, Malaysia, and Romania each had one victim.

A majority of the victims were based on the Magento platform, with version 2 being the most common.

Image 7: Chart showing distribution of victims by e-commerce platform.

**Indicators of Compromise**

In this dual-use domain variant, the single GTM container houses an obfuscated script that ultimately loads an e-skimmer script from an
external domain. Since the external domain is a dual-use domain, it both hosts the e-skimmer script and receives exfiltrated data. Notably, over
the past eight months, the actors have repeatedly replaced the specific dual-use domain housed in the container with a new domain, enabling
the actors to update the e-skimmer scripts affecting all victims without directly accessing the infected sites or modifying a large set of separate
GTM containers.

Analysts originally found 85 domains where this infection technique was used, and have since discovered an additional 30 victim domains.
There have been a total of 115 known victims of this variant to date.


-----

age 8 Sc ee s ot o a oade sc pt jected to a ct e co e ce s te (50 [a ts co](https://www.501parts.com/) ) be g used to co st uct a d oad t e U o a
container hosted on GTM.

Similar to Variant 1 in which the e-skimmer script is embedded in the GTM container, the Magecart actors inject a script tag containing the
loader for the GTM container e-skimmer into the infected pages. The script constructs the full GTM URL and uses it to retrieve the container.
However, in contrast to Variant 1, the GTM containers used for Variant 2 do not contain the actual e-skimmer script but instead contain scripts
that load the e-skimmer from a dual-use domain.

Image 9: Screenshot of GTM container with the URL that hosts the e-skimmer script highlighted.

Image 10: Screenshot of GTM container that obfuscates the URL used to host the e-skimmer script.

As can be seen in Image 9, the variable vtp_html, within the tags section, holds an HTML <script> element that asynchronously loads the URL
(statcs[.]com/favicon) from the dual-use domain that hosts the actual e-skimmer script. In Image 10, the variable vtp_html also holds a <script>
element, but this version is more complex as it uses a deobfuscation routine on a set of variables to reconstruct the URL
(ganalitis[.]com/refresh). Both variants of vtp_html result in the loading of the JavaScript in Image 11.

Image 11: Screenshot of the JavaScript loaded upon execution of the script link housed in the GTM container.

Analysts captured a sample of the payment form data being sent to the dual-use URL over the WebSocket connection. As the script encodes
the data via base64 prior transmission, the listing below has been decoded for viewability.

[{“info”:”null=4&form_key=il1y7byeHKLsNxTu&captcha_form_id=user_login&context=checkout&[email protected]email.com&captcha_form_id=use](https://geminiadvisory.io/cdn-cgi/l/email-protection)
_login&context=checkout&firstname=John&lastname=Doe&company=Trump%20Tower&street%5B0%5D=725%205th%20Ave&city=New%20Yor
_id=43&postcode=10022&country_id=US&telephone=+12123361440&ko_unique_13=freeshipping_freeshipping&ko_unique_14=flatrate_flatrate&
unique_15=usps_3&ko_unique_16=ups_02&ko_unique_17=ups_01&form_key=il1y7byeHKLsNxTu&captcha_form_id=payment_processing_requ
payment%5Bmethod%5D=authorizenet_directpost&billing-address-same-as-shipping=on&country_id=US&payment%5Bcc_type%5D=MC&paym
5Bcc_number%5D=5555555555555557&payment%5Bcc_exp_month%5D=5&payment%5Bcc_exp_year%5D=2025&payment%5Bcc_cid%5D=5
payment%5Bmethod%5D=paypal_express&=Apply%20Discount&captcha_form_id=sales_rule_coupon_request&captcha_form_id=user_login&co
checkout&”,”hostname”:”nelsonuniform com”,”key”:”1620313981929-818276572″}


-----

s oted abo e, t e ageca t acto s be d t s attac a e c a ged t e dua use do a oused t e G co ta e s t es du g t e
analysis window. The actors used the dual-use domains listed below, with the URL on ganalitis[.]com being the currently active variant.

**Dual-Use URL** **Dual-Use Domain** **Domain Creation Datetime**

hxxps://www[.]ganalitis[.].com/refresh ganalitis[.]com 2021-10-21T11:05:05Z

hxxps://www[.]ganalitics[.].com/favicon ganalitics[.]com 2021-06-03T12:17:07Z

hxxps://www[.]gstatcs[.]com/favicon gstatcs[.]com 2021-04-15T13:53:05Z

hxxps://webfaset[.]com/str[.]css webfaset[.]com 2021-04-13T10:46:06Z

hxxps://fountm[.]online/str[.]css fountm[.]online 2021-04-07T09:13:51Z

hxxps://pixupjqes[.]tech/str[.]css pixupjqes[.]tech 2021-04-05T07:08:10Z

hxxps://jqwereid[.]online/str[.]css jqwereid[.]online 2021-03-26T08:08:14Z

**Separate Variants, Separate Magecart Groups?**

Although the two GTM container variants involve similar tactics—storing e-skimmers within GTM containers or housing scripts in GTM
containers that load e-skimmers from dual-use domains—analysis of the two variants suggest that two different Magecart groups are
responsible for each variant.

Gemini has attributed all of the infections associated with Variant 1 (storing e-skimmers within GTM containers) to a single Magecart group
because all of the infections:

Use the exact same e-skimmer script and unobfuscated loader scripts
Place the injected scripts in a similar location on victimized e-commerce sites
Send stolen data to one of six exfiltration domains with domain names that all use the term “google” combined with legitimate-appearing
text (“tagstorage”, “trackevent”, etc.)

Gemini has attributed all of the infections associated with Variant 2 (housing scripts in GTM containers that load e-skimmers from dual-use
domains) to a separate Magecart group because all of the infections:

Use the same GTM container (actors have swapped out the dual-use domain associated with the GTM container six times, but the GTM
container has remained constant)
Transfer data via WebSocket connections
Use the exact same e-skimmer script (but different than Variant 1 script)

It appears highly likely that the two contemporaneous variants are used by two different Magecart groups because they use different eskimmer scripts, exfiltration domains, and only Variant 2 employs WebSocket connections.

## Conclusion

The shift to e-commerce due to the COVID-19 pandemic has increased interest in CNP e-skimming activity. As the level of activity increases,
so too does the level of effort to mask the activity from automated scanners and security researchers. The use of a legitimate service offers an
excellent opportunity to hide malicious scripts and thus maintain a foothold on victimized e-commerce sites.

The GTM container e-skimmer variant utilized a simple “grab everything” approach to collecting data from web forms and attempted to mask
its data exfiltration by using familiar domain names. Once infected with either of the GTM variants, malicious actors are afforded the ability to
modify their attack infrastructure without being required to access the victim server. This offers a significant means for remaining undetected
when changes are required due to issues such as defects in the skimmer and remediation of secondary loaders or exfiltration URLs.

Despite the fact that two separate groups appear responsible for each variant, the vast majority of payment card records that are stolen with
either GTM container variant have later been offered for sale on the above-mentioned top-tier CNP marketplace.

**Gemini Advisory Mission Statement**

_Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks._
_Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals_
_in real-time._


-----