Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Home/CyberSecurity News/Magecart Hackers Use Google Tag Manager for Credit Card Skimmers
CyberSecurity News

Magecart Hackers Use Google Tag Manager for Credit Card Skimmers

Key Takeaways Magecart-linked hackers are using Google Tag Manager (GTM) to deploy credit card skimmers, exploiting its trusted nature. The ATMZOW skimmer, active since 2015, leverages obfuscated...

Sarah simpson
Sarah simpson
May 12, 2026 6 Min Read
40 0

Key Takeaways

  • Magecart-linked hackers are using Google Tag Manager (GTM) to deploy credit card skimmers, exploiting its trusted nature.
  • The ATMZOW skimmer, active since 2015, leverages obfuscated scripts and rotating domains to evade detection and steal payment data from e-commerce checkout pages.
  • Over 300 websites were found compromised with malicious GTM containers in 2023, with attackers rapidly deploying new containers after existing ones are removed.

Online shoppers are facing a heightened risk of financial data theft as threat actors associated with the notorious Magecart group have begun embedding credit card skimmers within Google Tag Manager (GTM) containers. This sophisticated tactic transforms a widely adopted web administration tool into a clandestine mechanism for compromising e-commerce transactions and pilfering sensitive consumer payment information.

Table Of Content

  • Key Takeaways
  • The ATMZOW Skimmer Campaign
  • How the Google TM Skimmer Works
  • Obfuscation Tactics and Persistent Reinfestation
  • What You Should Do

Google Tag Manager is an essential utility for millions of websites, enabling them to centrally manage and deploy marketing, analytics, and other third-party scripts. Its scripts are served from the highly trusted googletagmanager.com domain, a factor that often causes security tools and website administrators to overlook or minimally scrutinize its loaded content. This inherent trust is precisely what the attackers are exploiting, utilizing deceptive GTM containers to inject malicious code designed to exfiltrate payment data in real time.

The ATMZOW Skimmer Campaign

Security researchers at Sucuri have meticulously tracked this campaign, uncovering a highly organized operation attributed to a persistent threat actor known as ATMZOW. This particular skimmer variant has a documented history with Magecart activities, dating back to 2015 when it was first identified in connection with the Guruincsite infection, which impacted thousands of Magento-powered online stores. The continued evolution and operational longevity of this group underscore the enduring nature of the threat.

The scale of the compromise became evident through Sucuri’s SiteCheck scanner, which flagged known malicious GTM containers on 327 distinct websites within the first eleven months of 2023 alone. One specific container, identified as GTM-WJV6J6, was detected 178 times before Google intervened and removed it. However, the attackers have demonstrated resilience, promptly creating new containers to continue their infection efforts once a previous one is deactivated.

The danger of this campaign lies in its seamless integration with legitimate web operations. A malicious GTM script initially appears benign, allowing many infections to persist undetected until significant damage has occurred. Unsuspecting shoppers enter their credit card details on seemingly legitimate checkout pages, unaware that their financial information is simultaneously being transmitted to the attackers.

How the Google TM Skimmer Works

The ATMZOW skimmer operates through a series of obfuscated scripts delivered via compromised GTM containers. These scripts are designed to discreetly harvest payment card data from checkout pages. Upon a visitor landing on an infected site, the malicious container loads, and the script performs a check to determine if the user is on a checkout or one-page payment interface. This targeted approach enhances the malware’s stealth, minimizing the likelihood of triggering automated security scans.

To further elude detection, the skimmer employs a dynamic infrastructure. It randomly selects two domains from a rotating list of 40 newly registered addresses to fetch its payload. These chosen domains are then stored in the browser’s local storage, ensuring that the same pair is used for subsequent visits. This mechanism significantly complicates efforts by security analysts to map out the full extent of the threat infrastructure.

The domains, registered through Hostinger in November 2023 in three distinct batches, are crafted to mimic legitimate analytics services by combining art-related terminology with analytics-style terms. Examples include cdn.sketchinsightswatch[.]com and cdn.colorpalettemetrics[.]com. The attackers also leverage Cloudflare to obscure their server IP addresses, though researchers eventually succeeded in identifying the underlying hosting infrastructure.

Obfuscation Tactics and Persistent Reinfestation

The ATMZOW skimmer distinguishes itself through its advanced obfuscation techniques. The malicious code incorporates a custom decoding mechanism that is intrinsically dependent on the precise character length of the script. This design makes any alteration to the script fatal to the decoder, rendering it highly resistant to automated analysis and static detection tools.

Following Google’s removal of the initial GTM-TVKQ79ZS container due to reported malicious activity, the attackers swiftly deployed two replacement containers, GTM-NTV2JTB4 and GTM-MX7L8F2M, to continue their site infections.

In at least one observed instance, this GTM-based skimmer was found co-existing with a separate WebSocket-based skimmer on the same compromised website, indicating that some victims may be simultaneously targeted by multiple threat actors.

What You Should Do

  • For Website Owners:
    • Regularly audit all GTM containers and custom scripts for unauthorized or suspicious code. Ensure all GTM users have strong, unique passwords and multi-factor authentication.
    • Implement Content Security Policy (CSP) headers to restrict external script execution to only trusted domains.
    • Utilize server-side scanning tools and client-side monitoring to detect changes or injections in your website’s code, particularly in checkout processes.
    • For Magento site owners, meticulously review templates stored in core_config_data, a common vector for client-side skimmer injections.
    • Treat any unfamiliar script as a potential security risk, especially those not explicitly authorized by an administrator.
  • For Online Shoppers:
    • Be vigilant for any unusual behavior during the checkout process, such as unexpected redirects or form anomalies.
    • Consider using virtual credit card numbers for online purchases, if available through your bank, to limit exposure in case of a breach.
    • Regularly monitor credit card statements for unauthorized transactions.
    • Use a reputable browser extension that can block malicious scripts, though these may not always detect highly obfuscated GTM-based skimmers.

Indicators of Compromise (IoCs):

Type Indicator Description
GTM Container ID GTM-WJV6J6 Malicious GTM container used to inject skimmer; detected 178 times in 2023
GTM Container ID GTM-TVKQ79ZS GTM container carrying new ATMZOW skimmer variant (November 2023)
GTM Container ID GTM-NTV2JTB4 Replacement malicious container created after GTM-TVKQ79ZS was removed
GTM Container ID GTM-MX7L8F2M Second replacement malicious container used for reinfection
Domain gtm-statistlc[.]com Malicious script source used in earlier GTM-WJV6J6 campaign (created July 11, 2023)
Domain goqle-analytics[.]com Lookalike analytics domain used in same campaign
Domain webstatlstics[.]com Lookalike statistics domain used in same campaign
Domain lgstd[.]io WebSocket-based skimmer found alongside GTM skimmer on same compromised site
Domain cdn.sketchinsightswatch[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.colorpalettemetrics[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.artisticpatterndata[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.visualartexplorer[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.picturedataminer[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.paintedworldstats[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.drawinginfopro[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.artistictrendsmap[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.sketchanalyticsvault[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.colorschemeobserver[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.artdataharvest[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.gallerytrendstracker[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.picturetrendsmonitor[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.brushstrokemetrics[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.imagepatternprofiler[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.artisticexpressiondb[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.sketchdataanalytics[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.canvastrendstracker[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.visualartinsights[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.strokepatternanalysis[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.artstattracker[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.drawdatahub[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.sketchmetrics[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.paintinfoanalyzer[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.imageinsightvault[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.visualdatacollector[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.artworkanalytics[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.sketchtrendsmonitor[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.picinfometrics[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.drawnstatsgather[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.artistictrendsprobe[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.gallerydatainsight[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.strokeanalysislab[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.imagestatistician[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.artprofilingtool[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.sketchdataharbor[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.picturetrendsdb[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.drawninfoinspector[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.arttrendtrackers[.]com ATMZOW payload delivery domain (Nov 2023 batch)
Domain cdn.PaintedVisionsStats[.]com ATMZOW payload delivery domain (Nov 2023 batch)
IP Address 31.220.21[.]211 Hostinger server hosting ATMZOW domains
IP Address 31.220.21[.]240 Hostinger server hosting ATMZOW domains
IP Address 62.72.7[.]89 Hostinger server hosting ATMZOW domains
IP Address 62.72.7[.]90 Hostinger server hosting ATMZOW domains

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical Checkmarx Plugin Vulnerability Exposed Jenkins AST Users

Next Post

Critical PHP SOAP Vulnerabilities Let Attackers Run Remote Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Automotive Manufacturer Boosts SOC Triage Speed, Closes Supplier Security Gap
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us