# Web Skimming Attacks Using Google Tag Manager

**[decoded.avast.io/pavlinakopecka/web-skimming-attacks-using-google-tag-manager/](https://decoded.avast.io/pavlinakopecka/web-skimming-attacks-using-google-tag-manager/)**

January 24, 2022

by [Pavlína KopeckáJanuary 24, 20229 min read](https://decoded.avast.io/author/pavlinakopecka/)

E-commerce websites are much more popular than they used to be, people tend to shop
online more and more often. This leads to the growth of an attack called web skimming.
Web skimming is a type of attack on e-commerce websites in which an attacker inserts
malicious code into a legitimate website. One of the most targeted e-commerce platforms is
```
 Magento . The reason why Magento is so popular among attackers is that Magento is

```
known for many vulnerabilities. However, this doesn’t mean that other platforms aren’t being
[targeted, for example, sites using WooCommerce have also been victims.](https://www.bleepingcomputer.com/news/security/hackers-infect-random-wordpress-plugins-to-steal-credit-cards/)

In this posting, we go over what web skimming attacks are and how they work. We then
analyze a series of web skimming attacks that we found which were active from `March`
```
 2021 to the present. These attacks abused the Google Tag Manager and mainly

```
targeted sites in `Argentina and` `Saudi Arabia .`

## Overview of Web Skimming Attacks

The purpose of the malicious web skimming code is to steal the website’s customers’
payment details. This attack can simply be compared to an attack on physical ATMs, where
instead of hardware skimmers, malicious code is used to steal payment card information.


-----

Web skimming is dangerous because the customer often has no chance to know that a
website has been compromised. Mostly, the attackers go after small e-commerce websites
with poor security, but sometimes even a big e-commerce site can become a victim. In

`2018, the` [British Airways website was infected by a web skimming attack. In](https://www.riskiq.com/blog/external-threat-management/magecart-british-airways-breach/) `2019,`

`forbesmagazine[.]com was` [infected, payment details were sent to the](https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/magecart-s-payment-card-data-skimming-code-found-on-forbes-magazine-s-website)
```
fontsawesome[.]gq . Later in 2020 a big online retailer selling beauty products,
wishtrend[.]com, also became a victim of another web skimming attack. In 2021

```
another big e-commerce website `store.segway[.]com was infected with a skimming`
attack.

We observed a webpage ( wishtrend[.]com with more than `1M followers on`
```
Facebook ) that was infected with web skimming in 2020 . Later in 2021, the same

```
website was infected with a phishing attack that imitates a Dropbox login.

## How Web Skimming Attacks Work Under the Hood

A website can be breached and compromised both on the client side and on the server
side. From the AV perspective, as we protect the end customers (client) and have no
visibility on the server side, we focus on the client side. There can either be a single piece


-----

of malicious code hidden in infected websites, or more often, the attack can be split into two
or more stages. First stage is a simple loader inserted in an infected website’s HTML or in
an already existing javascript file. It can look like in the image below.

_First stage of web skimming attack, example of malicious code inserted in websites_
This code loads additional malicious code from an attacker’s domain, sometimes
obfuscated, sometimes not. For the second stage, attackers usually use `typosquatting`
domains to hide and act as a legitimate service. The malicious code gets the data from all
(or in some cases specific) input forms and sends this data to the attacker’s server.

To get the payment details, the attackers use one of the following techniques:

Stealing payment details directly from the original payment form
Inserting malicious payment form (used in cases when no form exists)
Redirecting to a malicious form on another website (can be placed on infected website
or also on attacker’s website)

The image below shows an example of a fake payment form in the red box. It is almost
impossible to recognize that something is wrong, because on some e-commerce websites
the payment form looks exactly the same and is valid. But in this case a little help is in the
yellow box that says: “You will be redirected to the Realex website when you place an order.
“ It means that if the website states that you will be redirected, then the payment form
should not be directly on the e-commerce website and the user should expect to be
redirected to the payment gateway (different website) with the form to enter payment
details.


-----

_Example of a malicious payment form on an infected website_
There is more than one way the second stage (the part which is responsible for stealing and
sending stolen payment details to the attacker) of a web skimming attack can look. In the
code snippet below, there is an example. Here the attackers use a `POST request to`
exfiltrate payment details, but they can also use `GET requests and` `WebSockets .`


-----

_Example of web skimming code_
Stolen payment details are usually sold on the dark web. These datasets of credit cards that
come from web skimming attacks are usually fresh and therefore they are better and can be
sold for a higher price than for example data stolen from databases, which can be old in
many cases. More information about selling stolen cards can be found in Yonathan
Klijnsma’s

VB2019 paper: : Inside Magecart: the history behind the covert card-skimming assault on
the e-Commerce industry.

## Web Skimming using Google Tag Manager

In `Q3 2021 we discovered a web skimming attack that uses` `Google Tag Manager`
```
(GTM) as a first stage. First, the infected webpage loads a script from
googletagmanager[.]com/gtm.js?id=gtm-<code> via script injected in the HTML file

```
shown on the image below.

_Code snippet from index.html on infected e-commerce website_
There is nothing unusual in this behaviour, many websites use `Google Tag Manager and`
it looks exactly the same (it can be suspicious that the website loads more than one `GTM`
script though). But if we look closer in the `gtm.js file, we can find suspicious code in it. In`
the image below there is a comparison between malicious and clean `GTM script. In the`


-----

malicious file, there is added custom code that loads another javascript file from
```
ganalitis[.]com . This is the feature of GTM, it is possible to add a custom script (which

```
is then loaded from `googletagmanager.com domain).`

_Difference between usual and malicious GTM code_
We were able to connect (based on our common signature and IP) `ganalitis[.]com`
with similar domains from the same attacker (data from `RiskIQ ).`

Domain Active from IP
```
 ganalitics[.]com 2021-06-03 193[.]203[.]203[.]240
 bingfindapi[.]com 2021-04-29 193[.]203[.]203[.]56
 webfaset[.]com 2021-04-13 193[.]203[.]203[.]56
 pixstatics[.]com 2021-05-19 193[.]203[.]203[.]56
 ganalitis[.]com 2021-10-21 91[.]242[.]229[.]96
 gstatsc[.]com 2021-12-13 91[.]242[.]229[.]96
 gstatlcs[.]com 2021-12-15 193[.]203[.]203[.]14
 gstatuslink[.]com 2022-01-02 91[.]242[.]229[.]96
 gtagmagr[.]com 2022-01-05 193[.]203[.]203[.]14

```
The second stage (downloaded from the malicious domain) is a file named `favicon (later`
renamed to refresh) that contains about `400 lines of obfuscated javascript code. We`
found that this code was being changed over time to avoid detection. The deobfuscated


-----

code is shown below, almost everything out of the 400 lines of code was just obfuscation.
This file hides malicious code responsible for downloading the final stage through
```
WebSockets .

```
The final stage of malware is downloaded through `WebSockets . First, the web page sends`
its hostname, and then according to that information the corresponding malicious javascript
is received. This communication is shown in the image below.

Malicious javascript code is about `1k lines long (formatted) and as the previous stage is`
also obfuscated. This code is responsible for stealing the payment details. At the end of the
obfuscated javascript code (shown in the image below) is configuration which is different for
every infected eshop. The red box at the bottom shows the configuration where the fake
payment form will be inserted into an `HTML file on the infected website.`


-----

_The end of the third stage file that contains configuration_
The code from the yellow box is decoded in the white box. It is a dictionary, the key

`E528330211747l` contains the form field names that match the input form field names on
the infected webpage. The last key contains an exfiltration URL that is encoded in
```
base64 . In the image below is a code from an infected website, we can see that the id of

```
the email field (customer-email) is in the mentioned code.

The missing field names (from fake payment form) are in the variable `a0_0x11ac38 .`
Which is an array and contains the following fields:

The fake payment form embedded on the infected website is shown in the image below.
Above is the infected webpage, while below is how the webpage looks normally.


-----

_E-commerce website with fake payment form_
The stolen payment details (including details such as name and address) are sent to the
attacker encoded in `base64 through` `WebSockets .`

## Affected users

In the map below are shown countries with the most affected users. The top is
```
Argentina, because of prune[.]com[.]ar . Site was infected with the new malicious

```
domain `gstatlcs[.]com .`


-----

The second one is `Saudi Arabia` e-commerce website `souqtime[.]com . From` RiskIQ
data we can see that this e-commerce website was infected over time with at least seven
different web skimming domains.

Currently Avast detects the malicious domain `gstatuslink[.]com on` `souqtime[.]com .`

## Conclusion

Overall, we can say that the attacker uses `Google Tag Manager to avoid detection. At the`
same time they were able to change the domains from which the malicious code was
loaded over time, he also changed the malicious code itself to hide from detection by
antivirus.


-----

Some websites were infected for several months (for example `souqtime[.]com ). It can`
be difficult for users to spot that the site is infected. For example, it is suspicious if the user
fills in the payment form on the website itself and is then redirected to another payment
form on the payment gateway webpage. But in cases where the payment form is normally
present directly on the e-commerce website and the attacker steals payment details from
this legitimate form, it is really hard to notice that the website is infected. Therefore we
recommend using a second factor (e.g. mobile app or SMS code) to confirm internet
payments if the bank supports it.

Website owners should keep software updated, monitor logs for any suspicious activity, use
strong passwords and also use Web Application Firewall.

**IOC malicious domains:**
```
   pixstatics[.]com
   ganalitics[.]com
   bingfindapi[.]com
   webfaset[.]com
   ganalitis[.]com
   gstatsc[.]com
   gstatlcs[.]com
   gstatuslink[.]com
   gtagmagr[.]com

```
[Tagged asanalysis,](https://decoded.avast.io/tag/analysis/) [magento,](https://decoded.avast.io/tag/magento/) [malware,](https://decoded.avast.io/tag/malware/) [skimming](https://decoded.avast.io/tag/skimming/)


-----