Magecart Group Exploits Google Tag Manager in Sophisticated Credit Card Skimming Campaign
A notorious Magecart threat group has weaponized Google Tag Manager (GTM) to deploy credit card skimmers on e-commerce sites, turning a trusted analytics tool into a vehicle for digital skimming. The campaign, linked to the ATMZOW skimmer, has evolved since its emergence in 2015, with attackers now leveraging highly obfuscated GTM containers to evade detection.
In early 2023, the group used GTM-WJ6S9J6 to inject malicious scripts disguised as legitimate analytics services. After Google removed the container, attackers pivoted to GTM-TVKQ79ZS, introducing a new layer of obfuscation that breaks if even a single character is altered frustrating security analysis. More recently, they deployed GTM-NTV2JTB4 and GTM-MX7L8F2M as replacements.
To further evade detection, the attackers registered 40 new domains with deceptive naming patterns (e.g., cdn.sketchinsightswatch[.]com, cdn.visualartinsights[.]com), blending into normal web traffic. The skimmer randomly selects two domains per victim, storing them in local storage to limit exposure of the full infrastructure. Initially, these domains were hidden behind Cloudflare, but researchers later uncovered their Hostinger-based IP addresses after the firewall provider blocked malicious traffic.
The campaign highlights the group’s adaptability, combining GTM abuse, domain obfuscation, and selective payload delivery to prolong its operations. Indicators of compromise include the identified GTM containers and fake analytics domains, such as gtm-statistlc[.]com and gooqle-analytics[.]com.
Source: https://cyberpress.org/magecart-abuses-tag-manager/
Google Analytics cybersecurity rating report: https://www.rankiteo.com/company/google-analytics
Cloudflare cybersecurity rating report: https://www.rankiteo.com/company/cloudflare
"id": "GOOCLO1778581869",
"linkid": "google-analytics, cloudflare",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Retail', 'type': 'E-commerce businesses'}],
'attack_vector': 'Malicious GTM Containers',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Payment information, credit card '
'details'},
'date_detected': '2023',
'description': 'A notorious Magecart threat group has weaponized Google Tag '
'Manager (GTM) to deploy credit card skimmers on e-commerce '
'sites, turning a trusted analytics tool into a vehicle for '
'digital skimming. The campaign, linked to the ATMZOW skimmer, '
'has evolved since its emergence in 2015, with attackers now '
'leveraging highly obfuscated GTM containers to evade '
'detection. The attackers used GTM containers like '
'GTM-WJ6S9J6, GTM-TVKQ79ZS, GTM-NTV2JTB4, and GTM-MX7L8F2M to '
'inject malicious scripts disguised as legitimate analytics '
'services. They registered 40 new domains with deceptive '
'naming patterns to blend into normal web traffic and evade '
'detection.',
'impact': {'brand_reputation_impact': 'Potential damage due to credit card '
'skimming',
'data_compromised': 'Credit card information',
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': 'E-commerce websites'},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely',
'entry_point': 'Google Tag Manager (GTM) containers',
'high_value_targets': 'E-commerce payment pages'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Attackers are increasingly abusing legitimate tools like '
'GTM to evade detection. Organizations must monitor GTM '
'containers and third-party scripts for malicious '
'activity.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Enhanced GTM monitoring, '
'script allowlisting, '
'behavioral analysis for '
'skimming detection',
'root_causes': 'Abuse of trusted analytics tools '
'(GTM), lack of monitoring for '
'third-party script changes'},
'recommendations': ['Monitor GTM containers for unauthorized changes',
'Implement strict script allowlisting on e-commerce sites',
'Use behavioral analysis to detect skimming activity',
'Regularly audit third-party integrations for security '
'risks'],
'references': [{'source': 'Cybersecurity Research Reports'}],
'regulatory_compliance': {'regulations_violated': ['PCI DSS']},
'threat_actor': 'Magecart (ATMZOW skimmer group)',
'title': 'Magecart Group Exploits Google Tag Manager in Sophisticated Credit '
'Card Skimming Campaign',
'type': 'Credit Card Skimming',
'vulnerability_exploited': 'Abuse of Google Tag Manager (GTM)'}