Recently, it has been reported that Magecart Veteran ATMZOW has found 40 new domains of Google Tag Manager.
As a result, thousands of websites have been affected by this security breach.
Hackers enjoy Google Tag Manager because millions of websites use it, and it allows them to insert HTML code and custom scripts using a script from the very reputable domain googletagmanager[.
Com to misuse Google Tag Manager and build a new container.
Sucuri researchers analyzed the malicious code's newer obfuscation methods.
The usage of Google Tag Manager containers in e-commerce malware was also examined.
The development of the ATMZOW skimmer, which has been linked to several Magento website infections since 2015, was tracked.
The obfuscation employed in this newly found GTM-TVKQ79ZS container employs additional complexity to conceal all domains and activation conditions.
Since the decoder relies on the precise length of the script and breaks whenever you make changes to it, the ATMZOW level is very challenging to decode.
The third word makes the domain name look related to some internet service - e.g., metrics, stats, profiler, insights, analytics, tracker, monitor, tool, etc.
The second word is randomly selected from the combination of the two previous types of keywords.
Since these two domains are stored locally, whenever you use the same browser, you will consistently come across the same set of domains.
By avoiding the rapid identification and blockage of every domain utilized in the attack, this technique aims to unintentionally extend the campaign's duration.
The hacker also created new containers, GTM-NTV2JTB4 and GTM-MX7L8F2M, with the same malicious script and started reinfecting compromised websites.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 12 Dec 2023 14:00:25 +0000