E-commerce websites are much more popular than they used to be, people tend to shop online more and more often. This leads to the growth of an attack called web skimming. Web skimming is a type of attack on e-commerce websites in which an attacker inserts malicious code into a legitimate website. One of the most targeted e-commerce platforms is
Magento. The reason why
Magento is so popular among attackers is that
Magento is known for many vulnerabilities. However, this doesn’t mean that other platforms aren’t being targeted, for example, sites using WooCommerce have also been victims.
In this posting, we go over what web skimming attacks are and how they work. We then analyze a series of web skimming attacks that we found which were active from
March 2021 to the present. These attacks abused the
Google Tag Manager and mainly targeted sites in
Overview of Web Skimming Attacks
The purpose of the malicious web skimming code is to steal the website’s customers’ payment details. This attack can simply be compared to an attack on physical ATMs, where instead of hardware skimmers, malicious code is used to steal payment card information.
Web skimming is dangerous because the customer often has no chance to know that a website has been compromised. Mostly, the attackers go after small e-commerce websites with poor security, but sometimes even a big e-commerce site can become a victim. In
2018, the British Airways website was infected by a web skimming attack. In
forbesmagazine[.]com was infected, payment details were sent to the
fontsawesome[.]gq. Later in
2020 a big online retailer selling beauty products,
wishtrend[.]com, also became a victim of another web skimming attack. In
2021 another big e-commerce website
store.segway[.]com was infected with a skimming attack.
We observed a webpage (
wishtrend[.]com with more than
1M followers on Facebook) that was infected with web skimming in
2020. Later in
2021, the same website was infected with a phishing attack that imitates a Dropbox login.
How Web Skimming Attacks Work Under the Hood
This code loads additional malicious code from an attacker’s domain, sometimes obfuscated, sometimes not. For the second stage, attackers usually use
typosquatting domains to hide and act as a legitimate service. The malicious code gets the data from all (or in some cases specific) input forms and sends this data to the attacker’s server.
To get the payment details, the attackers use one of the following techniques:
- Stealing payment details directly from the original payment form
- Inserting malicious payment form (used in cases when no form exists)
- Redirecting to a malicious form on another website (can be placed on infected website or also on attacker’s website)
The image below shows an example of a fake payment form in the red box. It is almost impossible to recognize that something is wrong, because on some e-commerce websites the payment form looks exactly the same and is valid. But in this case a little help is in the yellow box that says: “You will be redirected to the Realex website when you place an order. “ It means that if the website states that you will be redirected, then the payment form should not be directly on the e-commerce website and the user should expect to be redirected to the payment gateway (different website) with the form to enter payment details.
There is more than one way the second stage (the part which is responsible for stealing and sending stolen payment details to the attacker) of a web skimming attack can look. In the code snippet below, there is an example. Here the attackers use a
POST request to exfiltrate payment details, but they can also use
GET requests and
Stolen payment details are usually sold on the dark web. These datasets of credit cards that come from web skimming attacks are usually fresh and therefore they are better and can be sold for a higher price than for example data stolen from databases, which can be old in many cases. More information about selling stolen cards can be found in Yonathan Klijnsma’s
Web Skimming using Google Tag Manager
Q3 2021 we discovered a web skimming attack that uses
Google Tag Manager (GTM) as a first stage. First, the infected webpage loads a script from
googletagmanager[.]com/gtm.js?id=gtm-<code> via script injected in the
HTML file shown on the image below.
There is nothing unusual in this behaviour, many websites use
Google Tag Manager and it looks exactly the same (it can be suspicious that the website loads more than one
GTM script though). But if we look closer in the
gtm.js file, we can find suspicious code in it. In the image below there is a comparison between malicious and clean
ganalitis[.]com. This is the feature of
GTM, it is possible to add a custom script (which is then loaded from
We were able to connect (based on our common signature and IP)
ganalitis[.]com with similar domains from the same attacker (data from
The second stage (downloaded from the malicious domain) is a file named
favicon (later renamed to refresh) that contains about
The final stage of malware is downloaded through
HTML file on the infected website.
The code from the yellow box is decoded in the white box. It is a dictionary, the key
E528330211747l contains the form field names that match the input form field names on the infected webpage. The last key contains an exfiltration URL that is encoded in
base64. In the image below is a code from an infected website, we can see that the id of the email field (customer-email) is in the mentioned code.
The missing field names (from fake payment form) are in the variable
a0_0x11ac38. Which is an array and contains the following fields:
The fake payment form embedded on the infected website is shown in the image below. Above is the infected webpage, while below is how the webpage looks normally.
The stolen payment details (including details such as name and address) are sent to the attacker encoded in
In the map below are shown countries with the most affected users. The top is
Argentina, because of
prune[.]com[.]ar. Site was infected with the new malicious domain
The second one is
Saudi Arabia e-commerce website
souqtime[.]com. From RiskIQ data we can see that this e-commerce website was infected over time with at least seven different web skimming domains.
Currently Avast detects the malicious domain
Overall, we can say that the attacker uses
Google Tag Manager to avoid detection. At the same time they were able to change the domains from which the malicious code was loaded over time, he also changed the malicious code itself to hide from detection by antivirus.
Some websites were infected for several months (for example
souqtime[.]com). It can be difficult for users to spot that the site is infected. For example, it is suspicious if the user fills in the payment form on the website itself and is then redirected to another payment form on the payment gateway webpage. But in cases where the payment form is normally present directly on the e-commerce website and the attacker steals payment details from this legitimate form, it is really hard to notice that the website is infected. Therefore we recommend using a second factor (e.g. mobile app or SMS code) to confirm internet payments if the bank supports it.
Website owners should keep software updated, monitor logs for any suspicious activity, use strong passwords and also use Web Application Firewall.
IOC malicious domains: