In a recent revelation, Magecart Veteran ATMZOW has unearthed 40 new domains within the realms of Google Tag Manager (GTM), shedding light on the evolving tactics employed by cybercriminals. This development has raised concerns within the cybersecurity community, given the widespread usage of GTM and its potential as a gateway for hackers to infiltrate websites with malicious code. In this article, we delve into the significance of GTM for hackers, analyze the novel obfuscation methods employed by the malicious code, examine the usage of GTM containers in e-commerce malware, track the development of the notorious ATMZOW skimmer, discuss the increased complexity in obfuscation techniques, review the list of newly registered domains, explore the technique used to extend the campaign’s duration, and highlight the creation of new containers and subsequent reinfection of compromised websites.
Importance of Google Tag Manager for Hackers
Google Tag Manager has become an attractive target for cybercriminals due to its extensive usage across millions of websites. Its integration enables hackers to insert HTML code and custom scripts through a script derived from the reputable domain, googletagmanager[.]com. This, in turn, grants them unauthorized access, putting the security of countless websites at risk.
Analysis of New Obfuscation Methods
Researchers at Sucuri have closely analyzed the evolving obfuscation methods employed by the malicious code injected via GTM. By employing newer techniques of obfuscation, hackers strive to mask their activities and evade detection by security mechanisms. The comprehensive examination of these methods serves as a key component in understanding and combating such attacks.
Examination of GTM Containers in E-commerce Malware
The potential use of GTM containers in e-commerce malware has sparked concerns within the cybersecurity landscape. By leveraging the trusted framework of GTM, cybercriminals can compromise payment gateways and siphon sensitive financial data. Understanding this modus operandi is crucial in strengthening the security measures employed by online retailers and safeguarding consumer information.
Tracking the Development of ATMZOW Skimmer
The notorious ATMZOW skimmer, responsible for several Magento website infections since 2015, has been an ongoing concern for businesses operating in the e-commerce space. The skimmer, intricately linked to Magecart campaigns, has constantly evolved and adapted over the years, highlighting the importance of tracking its development to stay one step ahead of cyber adversaries.
Increased Complexity in Obfuscation Techniques
The newly discovered GTM-TVKQ79ZS container has introduced additional layers of complexity to its obfuscation techniques. This heightened sophistication enables the concealment of all associated domains and activation conditions, making it increasingly challenging for security analysts to identify and mitigate the threat effectively. Emphasizing the need for robust security measures, this development compels cybersecurity professionals to stay attuned to the evolving tactics of cybercriminals.
List of 40 Newly Registered Domains
As part of their strategy to fly under the radar, the hacker behind the ATMZOW skimmer has meticulously registered 40 new domains. These domains serve as an additional layer in their skimming process, exploiting the unsuspecting nature of users and extending the duration of their malicious campaign. By utilizing a combination of three English words with specific patterns, the attacker successfully evades rapid identification and blockage of each individual domain.
Technique to Extend Campaign Duration
By employing the aforementioned pattern-based domain names, the hacker inadvertently extends the campaign’s duration. The deliberate avoidance of predictable domain patterns not only hampers the ability to swiftly block all malicious domains but also increases the chances of a prolonged compromise. This technique frustrates efforts to disrupt the attacker’s activities and underscores the need to remain vigilant in the ever-changing threat landscape.
Creation of New Containers and Reinfection
The threat actor responsible for the ATMZOW skimmer continues to refine their approach. This time, they have created two new containers – GTM-NTV2JTB4 and GTM-MX7L8F2M – embedding the same malicious script. With these containers, the attacker aims to reinfect compromised websites, further amplifying the potential damage caused by their skimming operation. This cycle of reinfection poses significant challenges to the victims, necessitating swift remediation and heightened security measures.
The discovery of 40 new domains within Google Tag Manager by Magecart Veteran ATMZOW raises concerns about the ever-evolving techniques employed by cybercriminals. The usage of GTM as a means to inject malicious code and scripts highlights the need for increased vigilance and robust security measures. With an in-depth analysis of obfuscation methods, examination of GTM containers in e-commerce malware, tracking of the ATMZOW skimmer’s development, and exploration of various tactics employed by the hacker, businesses and individuals can better equip themselves to mitigate the risks and protect their online assets. As cyber threats continue to evolve, it is imperative to stay informed and proactive in countering these malicious activities.