Magecart Abuses Google Tag Manager

Industry: eCommerce | Level: Strategic | Source: GeminiAdvisory

The Magecart threat actor group has abused the Google Tag Manager (GTM) service by discriminately adding malicious JavaScripts within the GTM container. The GTM service was intended to allow web authors the capability to update measurement codes and other code fragments. Abused GTM containers execute the embedded JavaScript when a browser loads the link to a container, collecting unsuspected buyer information through the use of additional payment forms and exfiltrate the data to a remote collection server. These findings are reported by Gemini Advisory a Recorded Future company, who has been observing the threat since February 4th, 2021. Three hundred and sixteen ecommerce sites were compromised with infected containers, resulting in at least 88,000 payment card records posted for sale on dark web markets.