Compromised online stores have been injected with skimmers hiding around the Google Tag Manager script. We identified a new one that looked similar at first but is part of a different campaign.
Threat actors often compete for the same resources, and this couldn’t be further from the truth when it comes to website compromises. After all, if a vulnerability exists, one can expect that it will be exploited more than once.
In the past, we have seen such occurrences with Magecart threat actors for example, in the breach of the Umbro website. Recently, while reading a blog post from security vendor Akamai, we spotted a similar situation. In the listed indicators of compromise, we noticed domains that we had seen used in a distinct skimming campaign which didn’t seem to be documented yet.
In fact, we saw instances of compromised stores having both skimmers loaded, which means double trouble for victims as their credit card information is stolen not just once but twice. In this blog post, we show how the newly found Kritec skimmer was found alongside one of its competitors.
Original campaign using WebSockets
Researchers at Akamai reported on a Magecart skimmer campaign disguised as Google Tag Manager that also made the news with the compromise of one of Canada’s largest liquor store (LCBO). While details were not shared at the time, we were able to determine, thanks to an archived crawl on urlscan.io, that the skimmer was using WebSockets and is the same one as described in Akamai’s blog.
Kritec campaign
Akamai notes that they identified multiple compromised websites that had similarities. They also list nebiltech[.]shop in their IOCs which is a domain we sometimes saw injected near the Google Tag Manager script, but not within it.
We believe this is a different campaign and threat actor altogether. Here are some reasons why:
- No WebSocket is being used
- Domains abusing Cloudflare
- Intermediary loader
- Completely different skimming code
To complicate things, we observed some stores that had both skimmers at the same time, which is another reason why we believe they are not related:
We started calling this new skimmer ‘Kritec’ after one of its domain names. It has an interesting way of loading the malicious JavaScript we had not seen before either. The injected code calls out a first domain (seen above encoded in Base64) and generates a Base64 response:
Decoding it reveals a URL pointing to the actual skimming code, which is heavily obfuscated (likely via obfuscator.io):
The data exfiltration is also done differently, as seen in the image below. On the left, the stolen credit card data is sent via a WebSocket skimmer, while on the right, it is a POST request:
Google Tag Manager variants
In the past months there have been several Magecart skimmers abusing Google Tag Manager in one way or another. We mentioned Akamai’s blog, but it was also documented by Recorded Future. In those instances, the malicious was actually embedded in the Google Tag Manager library itself, which is very clever and difficult to detect.
While the Kritec skimmer hangs around the Google Tag Manager script, we believe it is not related to the other active campaigns. We have been documenting it recently and are reporting the abuse to Cloudflare, which it uses to hide its real infrastructure.
Malwarebytes customers are shielded against this campaign via our web protection in Endpoint Protection (EP), Endpoint Detection and Response (EDR) and Malwarebytes Premium.
