Magecart Hackers Use Google Tag Manager for Credit Card Skimmers
Key Takeaways Magecart-linked hackers are using Google Tag Manager (GTM) to deploy credit card skimmers, exploiting its trusted nature. The ATMZOW skimmer, active since 2015, leverages obfuscated...
Key Takeaways
- Magecart-linked hackers are using Google Tag Manager (GTM) to deploy credit card skimmers, exploiting its trusted nature.
- The ATMZOW skimmer, active since 2015, leverages obfuscated scripts and rotating domains to evade detection and steal payment data from e-commerce checkout pages.
- Over 300 websites were found compromised with malicious GTM containers in 2023, with attackers rapidly deploying new containers after existing ones are removed.
Online shoppers are facing a heightened risk of financial data theft as threat actors associated with the notorious Magecart group have begun embedding credit card skimmers within Google Tag Manager (GTM) containers. This sophisticated tactic transforms a widely adopted web administration tool into a clandestine mechanism for compromising e-commerce transactions and pilfering sensitive consumer payment information.
Table Of Content
Google Tag Manager is an essential utility for millions of websites, enabling them to centrally manage and deploy marketing, analytics, and other third-party scripts. Its scripts are served from the highly trusted googletagmanager.com domain, a factor that often causes security tools and website administrators to overlook or minimally scrutinize its loaded content. This inherent trust is precisely what the attackers are exploiting, utilizing deceptive GTM containers to inject malicious code designed to exfiltrate payment data in real time.
The ATMZOW Skimmer Campaign
Security researchers at Sucuri have meticulously tracked this campaign, uncovering a highly organized operation attributed to a persistent threat actor known as ATMZOW. This particular skimmer variant has a documented history with Magecart activities, dating back to 2015 when it was first identified in connection with the Guruincsite infection, which impacted thousands of Magento-powered online stores. The continued evolution and operational longevity of this group underscore the enduring nature of the threat.
The scale of the compromise became evident through Sucuri’s SiteCheck scanner, which flagged known malicious GTM containers on 327 distinct websites within the first eleven months of 2023 alone. One specific container, identified as GTM-WJV6J6, was detected 178 times before Google intervened and removed it. However, the attackers have demonstrated resilience, promptly creating new containers to continue their infection efforts once a previous one is deactivated.
The danger of this campaign lies in its seamless integration with legitimate web operations. A malicious GTM script initially appears benign, allowing many infections to persist undetected until significant damage has occurred. Unsuspecting shoppers enter their credit card details on seemingly legitimate checkout pages, unaware that their financial information is simultaneously being transmitted to the attackers.
How the Google TM Skimmer Works
The ATMZOW skimmer operates through a series of obfuscated scripts delivered via compromised GTM containers. These scripts are designed to discreetly harvest payment card data from checkout pages. Upon a visitor landing on an infected site, the malicious container loads, and the script performs a check to determine if the user is on a checkout or one-page payment interface. This targeted approach enhances the malware’s stealth, minimizing the likelihood of triggering automated security scans.
To further elude detection, the skimmer employs a dynamic infrastructure. It randomly selects two domains from a rotating list of 40 newly registered addresses to fetch its payload. These chosen domains are then stored in the browser’s local storage, ensuring that the same pair is used for subsequent visits. This mechanism significantly complicates efforts by security analysts to map out the full extent of the threat infrastructure.
The domains, registered through Hostinger in November 2023 in three distinct batches, are crafted to mimic legitimate analytics services by combining art-related terminology with analytics-style terms. Examples include cdn.sketchinsightswatch[.]com and cdn.colorpalettemetrics[.]com. The attackers also leverage Cloudflare to obscure their server IP addresses, though researchers eventually succeeded in identifying the underlying hosting infrastructure.
Obfuscation Tactics and Persistent Reinfestation
The ATMZOW skimmer distinguishes itself through its advanced obfuscation techniques. The malicious code incorporates a custom decoding mechanism that is intrinsically dependent on the precise character length of the script. This design makes any alteration to the script fatal to the decoder, rendering it highly resistant to automated analysis and static detection tools.
Following Google’s removal of the initial GTM-TVKQ79ZS container due to reported malicious activity, the attackers swiftly deployed two replacement containers, GTM-NTV2JTB4 and GTM-MX7L8F2M, to continue their site infections.
In at least one observed instance, this GTM-based skimmer was found co-existing with a separate WebSocket-based skimmer on the same compromised website, indicating that some victims may be simultaneously targeted by multiple threat actors.
What You Should Do
- For Website Owners:
- Regularly audit all GTM containers and custom scripts for unauthorized or suspicious code. Ensure all GTM users have strong, unique passwords and multi-factor authentication.
- Implement Content Security Policy (CSP) headers to restrict external script execution to only trusted domains.
- Utilize server-side scanning tools and client-side monitoring to detect changes or injections in your website’s code, particularly in checkout processes.
- For Magento site owners, meticulously review templates stored in
core_config_data, a common vector for client-side skimmer injections. - Treat any unfamiliar script as a potential security risk, especially those not explicitly authorized by an administrator.
- For Online Shoppers:
- Be vigilant for any unusual behavior during the checkout process, such as unexpected redirects or form anomalies.
- Consider using virtual credit card numbers for online purchases, if available through your bank, to limit exposure in case of a breach.
- Regularly monitor credit card statements for unauthorized transactions.
- Use a reputable browser extension that can block malicious scripts, though these may not always detect highly obfuscated GTM-based skimmers.
Indicators of Compromise (IoCs):
| Type | Indicator | Description |
|---|---|---|
| GTM Container ID | GTM-WJV6J6 | Malicious GTM container used to inject skimmer; detected 178 times in 2023 |
| GTM Container ID | GTM-TVKQ79ZS | GTM container carrying new ATMZOW skimmer variant (November 2023) |
| GTM Container ID | GTM-NTV2JTB4 | Replacement malicious container created after GTM-TVKQ79ZS was removed |
| GTM Container ID | GTM-MX7L8F2M | Second replacement malicious container used for reinfection |
| Domain | gtm-statistlc[.]com | Malicious script source used in earlier GTM-WJV6J6 campaign (created July 11, 2023) |
| Domain | goqle-analytics[.]com | Lookalike analytics domain used in same campaign |
| Domain | webstatlstics[.]com | Lookalike statistics domain used in same campaign |
| Domain | lgstd[.]io | WebSocket-based skimmer found alongside GTM skimmer on same compromised site |
| Domain | cdn.sketchinsightswatch[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.colorpalettemetrics[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.artisticpatterndata[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.visualartexplorer[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.picturedataminer[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.paintedworldstats[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.drawinginfopro[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.artistictrendsmap[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.sketchanalyticsvault[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.colorschemeobserver[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.artdataharvest[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.gallerytrendstracker[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.picturetrendsmonitor[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.brushstrokemetrics[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.imagepatternprofiler[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.artisticexpressiondb[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.sketchdataanalytics[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.canvastrendstracker[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.visualartinsights[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.strokepatternanalysis[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.artstattracker[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.drawdatahub[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.sketchmetrics[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.paintinfoanalyzer[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.imageinsightvault[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.visualdatacollector[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.artworkanalytics[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.sketchtrendsmonitor[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.picinfometrics[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.drawnstatsgather[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.artistictrendsprobe[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.gallerydatainsight[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.strokeanalysislab[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.imagestatistician[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.artprofilingtool[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.sketchdataharbor[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.picturetrendsdb[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.drawninfoinspector[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.arttrendtrackers[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| Domain | cdn.PaintedVisionsStats[.]com | ATMZOW payload delivery domain (Nov 2023 batch) |
| IP Address | 31.220.21[.]211 | Hostinger server hosting ATMZOW domains |
| IP Address | 31.220.21[.]240 | Hostinger server hosting ATMZOW domains |
| IP Address | 62.72.7[.]89 | Hostinger server hosting ATMZOW domains |
| IP Address | 62.72.7[.]90 | Hostinger server hosting ATMZOW domains |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.