Last month, researchers at Akamai reported a Magecart skimming campaign that involved the use of Google Tag Manager (GTM) to hide the skimmer. While the details about the malware were not shared then, researchers at Malwarebytes have uncovered a new instance from the same threat actors.
What’s the matter?
Researchers at Malwarebytes discovered a new skimmer malware, called Kritec, which is named after one of its domains used to abuse Cloudflare.
In the newest campaign, Kritec malware was found leveraging GTM script to target Magento stores.
In some cases, researchers also observed that some Magento stores were compromised with two skimming malware, including Kritec.
The Kritec skimmer code is heavily obfuscated mostly via obfuscator[.]io which includes the use of the Base64 algorithm to hide its identity.
Once the malware is executed on the website, the stolen credit card details are sent twice - one via a WebSocket skimmer and the other via a POST request.
Infection via GTM becomes a security concern
There have been several Magecart skimmer attacks abusing GTM in one way or another.
In January, the Liquor Control Board of Ontario (LCBO), fell victim to a web-skimming attack that enabled the attackers to steal customers’ credit card information at checkout. It was found that the web skimmer was injected into the site as an inline script camouflaged as a legitimate Google Analytics Tag.
In September 2022, Recorded Future shared details about three significant variants of malicious skimmers hidden within the GTM containers. These e-skimmers were used to collect the payment card data and personal information of customers shopping on e-commerce sites.
A threat campaign that infected about 316 online stores and approximately 80,000 users was identified in January 2022. The attackers exploited GTM to secretly drop their skimming codes on owners’ websites.
Final words
Magecart skimmers are constantly evolving and becoming increasingly sophisticated. Abusing Google Analytics Tags to hide skimmers may not be new but it’s effective when it comes to evasion techniques. Therefore, owners and administrators must track the IOCs associated with the Kritec malware to get a broader picture of the attack campaign and prevent similar attempts in near future.