NEXT LEVEL ATTACK: SEVERAL GTMS WORKING IN SYNC, CSS AND DOM EXPLOITED
A sophisticated attack leveraging coordinated Google Tag Managers, CSS obfuscation, and DOM-based execution to deploy counterfeit payment forms and exfiltrate data via WebSocket
The Source Defense Research Intelligence team has uncovered a sophisticated cyberattack targeting e-commerce websites globally. While prior reports have noted the growing trend of nested Google Tag Managers (GTMs) injecting malicious scripts, this is the first documented case of multiple GTMs working in tandem—one dedicated to loading the payload and another executing it.
Furthermore, this attack leverages CSS to conceal the malicious script, embedding it within what appear to be legitimate styling assets—making detection particularly difficult. The script is then executed via the Document Object Model (DOM), a commonly overlooked vector for script activation. This enables attackers to present users with highly convincing counterfeit payment forms. The fake interface closely mimics legitimate ones, deceiving users into entering sensitive credentials. Once captured, the data is exfiltrated through WebSocket channels, bypassing conventional security tools that monitor standard POST requests.
The attack further employs CSS payloads to camouflage malicious scripts, making detection challenging. Execution is carried out unexpectedly via the Document Object Model (DOM), further disguising the attack as generally unmonitored, presenting users with counterfeit payment forms. Notably, a "double form" deception is utilized, where a fake payment form mimics legitimate ones, tricking users into submitting sensitive information. Stolen data is then exfiltrated through WebSocket connections, bypassing traditional monitoring tools that track standard POST requests.
This multi-layered approach reflects a new level of technical finesse in client-side threats and reinforces the urgent need for proactive security solutions beyond conventional controls.
Keep in mind that protecting your checkout pages isn’t enough. This attack can be launched from seemingly innocuous pages, dynamically injecting a fully forged payment interface.
Attack details
A step-by-step description of the attack can be found in the newly posted blog: New Breed of Magecart: GTMs Working Together, JavaScript Hidden in CSS.
The image below highlights the multiple GTMs, the CSS hiding the malicious code and its execution.