A new Magecart campaign is abusing Google Tag Manager and Stripeβs API infrastructure to host a credit card skimmer and hide stolen checkout data from defenses. Sansec says the attack targets Magento/Adobe Commerce stores, with variants also using Google Firestore to blend in with legitimate payment traffic. #Magecart #Sansec #GoogleTagManager #Stripe #AdobeCommerce #GoogleFirestore
Keypoints
- The skimmer is loaded from a Google Tag Manager container and runs on every page that includes it.
- api.stripe.com is used to move both the payload and stolen card data.
- The attack bypasses Content Security Policy and network filters because Stripe domains are trusted by default.
- The malware targets Magento/Adobe Commerce checkout pages and steals payment and contact details.
- Sansec found a variant that uses Google Firestore to store and retrieve the payload and stolen data.