Recently, it has been reported that Magecart Veteran ATMZOW has found 40 new domains of Google Tag Manager. As a result, thousands of websites have been affected by this security breach.
Hackers enjoy Google Tag Manager because millions of websites use it, and it allows them to insert HTML code and custom scripts using a script from the very reputable domain googletagmanager[.]com to misuse Google Tag Manager and build a new container.
Sucuri researchers analyzed the malicious code’s newer obfuscation methods. The usage of Google Tag Manager containers in e-commerce malware was also examined. Moreover, the development of the ATMZOW skimmer, which has been linked to several Magento website infections since 2015, was tracked.
However, the obfuscation employed in this newly found GTM-TVKQ79ZS container employs additional complexity to conceal all domains and activation conditions. Since the decoder relies on the precise length of the script and breaks whenever you make changes to it, the ATMZOW level is very challenging to decode.
A list of 40 newly registered domains used to inject another layer of the skimmer:
This time, attackers utilized a mixture of three English words with the following patterns, in contrast to the previous name pattern, which includes terms connected to well-known statistics or analytics services:
- The first word is always related to art.
- The third word makes the domain name look related to some internet service – e.g., metrics, stats, profiler, insights, analytics, tracker, monitor, tool, etc.
- The second word is randomly selected from the combination of the two previous types of keywords.
It’s worth mentioning that the harmful programming code picks two of the “CDN” domains at random. Moreover, since these two domains are stored locally, whenever you use the same browser, you will consistently come across the same set of domains.
By avoiding the rapid identification and blockage of every domain utilized in the attack, this technique aims to unintentionally extend the campaign’s duration.
The hacker also created new containers, GTM-NTV2JTB4 and GTM-MX7L8F2M, with the same malicious script and started reinfecting compromised websites.