Active Digital Skimming Campaign Targeting Major U.S. Automotive Brands

by Source Defense

Attack Uses Google Tag Manager for Delivery and Google Analytics for Data Exfiltration

Source Defense research has uncovered an active, highly sophisticated digital skimming attack actively targeting the e-commerce environments of more than 10 major U.S. automotive brands. What makes this campaign particularly dangerous is not just its scale but its abuse of trusted infrastructure. Attackers are using Google Tag Manager (GTM) to distribute malicious payloads and Google Analytics (GA4) to exfiltrate stolen payment data, bypassing traditional security controls and effectively hiding in plain sight.

This is not theoretical. It is active, dynamic, and difficult to detect using traditional approaches. A summary of the findings along with technical details aimed at aiding merchants in detection is provided below:

A New Level of “Living Off the Land” eSkimming

At its core, this campaign leverages a shared GTM container embedded across multiple related e-commerce storefronts. By compromising or abusing this single distribution point, attackers gain scalable access across multiple brands simultaneously.

Once deployed, the malicious code activates specifically during checkout interactions – targeting the exact moment when consumers enter payment data. It harvests:

  • Card number, expiration date, CVV
  • Cardholder name and billing details
  • Email, phone number, and address

The data is then obfuscated, split into multiple payload fragments, and transmitted – not to a suspicious external domain but to Google Analytics’ legitimate collection endpoint.

This “living off the land” technique fundamentally changes the detection challenge. Security tools and policies that rely on domain reputation or allowlists will see nothing unusual because both GTM and Google Analytics are trusted, business-critical services.

Increasing Sophistication in Digital Skimming Attacks

This campaign further demonstrates a trend Source Defense has been warning about – an increase in adversarial sophistication. This particular campaign demonstrates a level of sophistication consistent with the most advanced digital skimming (aka eSkimming) operations observed in recent years:

  • Checkout-specific triggering: Executes only at the point of payment submission
  • Payload obfuscation: XOR encoding and Base64 fragmentation hide sensitive data
  • Trusted infrastructure abuse: Uses Google services for both delivery and exfiltration
  • Centralized control: A single GTM container enables cross-site compromise

In addition, attackers are employing dynamic evasion techniques:

  • Random activation affecting only a subset of users
  • One-time execution based on cookies or IP
  • Time-based triggers (minutes or hours)
  • Rapid injection and removal of malicious code

These behaviors make traditional scanning unreliable. In many observed cases, attacks could not be reproduced during subsequent scans even while active compromise persisted.

This aligns with broader industry findings: attackers increasingly exploit third-party scripts and trusted services to steal data at the point of input, where visibility is lowest and impact is highest.

Google Tag Manager: A Force Multiplier for Attackers

Google Tag Manager plays a critical role in this campaign. By design, GTM allows remote configuration of scripts using triggers, variables, and conditional logic. In the wrong hands, this becomes a powerful attack orchestration tool.

Attackers can:

  • Dynamically control when malicious code executes
  • Target specific users or sessions
  • Modify or remove payloads instantly
  • Avoid direct changes to the website codebase

This is not an isolated pattern. Source Defense research shows GTM is now one of the most commonly abused vectors in modern digital skimming/ eSkimming attacks, appearing in a significant portion of campaigns due to its flexibility and trust level.

Why CSP Fails Against This Type of Attack

This campaign is a clear, real-world example of the limitations of Content Security Policy (CSP). CSP is fundamentally a static, allowlist-based control. It determines which domains scripts can load from but it does not control what those scripts actually do at runtime.

In this case:

  • The malicious payload is delivered via Google Tag Manager (trusted)
  • The stolen data is sent to Google Analytics (trusted)

From a CSP perspective, everything is allowed.

This highlights a critical gap:
CSP cannot prevent malicious behavior from trusted sources. It should NOT be relied upon as an effective tool against digital skimming attacks.

Industry analysis has consistently shown that CSP and SRI struggle in dynamic environments, particularly where third- and fourth-party scripts are involved. They are static defenses applied to a highly dynamic threat landscape.

As attackers increasingly weaponize trusted services and legitimate infrastructure, reliance on CSP alone creates a dangerous false sense of security.

Implications for Merchants and Acquirers

For merchants and merchant acquirers, this campaign reinforces several urgent realities:

  1. The attack surface is the webpage, not the server
    Sensitive data is being stolen before it ever reaches secure backend systems.
  2. Trusted services are the threat model
    Analytics, tag managers, and other third-party tools can be abused without triggering traditional defenses.
  3. Compliance does not equal protection
    Static controls may satisfy requirements on paper but fail against real-world attack techniques.
  4. Intermittent attacks are still active attacks
    Failure to reproduce malicious behavior does not indicate absence of compromise.

PCI DSS 4.0.1 explicitly addresses these risks through requirements 6.4.3 and 11.6.1, mandating script control, integrity, and monitoring across payment pages and flows. However, the standard currently fails the industry given its limited scope focus on payment pages (attacks occur site wide) and its reference to both CSP and SRI as potential controls (they will not stop these attacks). More needs to be done to close the digital skimming gap – with an emphasis on site wide protection and behavioral controls that assess script activity at runtime.

A Broader Industry Signal

This campaign is not just another breach – it is a signal.
Attackers are evolving faster than traditional defenses. They are:

  • Exploiting the digital supply chain
  • Abusing trusted infrastructure
  • Operating with precision targeting and evasion

Source Defense, as a pioneer in client-side security, a PCI Board of Advisors member and a Principal Participating Organization within the PCI ecosystem, continues to observe and document these shifts firsthand. Our research – along with our collaboration with Mastercard and the PCI community – highlights a consistent theme:

Data is now being stolen at the point of input, and the controls designed for a previous generation of threats are no longer sufficient.

Technical Details of this Campaign

Threat Infrastructure

The attacker relies almost entirely on trusted Google infrastructure, significantly increasing the likelihood of bypassing allowlist-based security controls.

Initial Vector / Loader

https://www.googletagmanager.com/gtm.js?id=GTM-MX8L362L

Exfiltration Endpoint

https://www.google-analytics.com/g/collect

Attacker GA4 Measurement ID

G-7DTFFTL7Y8

Malicious GA4 Event

ga4_event

Malicious Payload Parameters

ep.fields_p1
ep.fields_p2
ep.fields_p3

The malicious GTM container includes a GA4 event tag configured to send custom parameters named fields_p1, fields_p2, and fields_p3. These parameters are populated by custom JavaScript macros, not by legitimate analytics functionality.

Attack Chain & Technical Analysis

Phase I: GTM-Based Campaign Distribution

The malicious logic is distributed through a shared Google Tag Manager container:

GTM-MX8L362L

Because the same container is present across multiple related storefronts, the attacker gained a scalable infection point. A single malicious GTM configuration allowed the skimmer to operate across more than 10 of the largest U.S. car manufactuers’ checkout flows.

This indicates either:

  1. Unauthorized access to a shared GTM workspace, or
  2. Abuse of a legitimate GTM deployment controlled centrally across the owner’s e-commerce properties.

Phase II: Checkout-Specific Triggering

The GTM container includes logic that activates on checkout interaction. Evidence shows targeting of the Authorize.Net CIM submit flow:

authnetcim-submit, #authnetcim-submit *

This means the skimmer is designed to trigger at the moment when the user is likely to have completed the payment form.
The attack is not a generic page-load beacon. It is tied to checkout behavior and captures high-value payment data only at the point of submission.

Phase III: Payment and PII Harvesting

The malicious GTM macro targets sensitive checkout fields, including:

  • Credit card number
  • Expiration month
  • Expiration year
  • CVV / CID
  • First name
  • Last name
  • Street address
  • Postal code
  • Region / state
  • City
  • Country
  • Telephone
  • Customer email

The original GTM payload includes selectors for Authorize.Net CIM fields, including:

  • #authnetcim-cc-number
  • #authnetcim-cc-exp-month
  • #authnetcim-cc-exp-year
  • #authnetcim-cc-cid

This confirms that the attacker tailored the skimmer to the checkout implementation rather than
deploying a generic form grabber.

Phase IV: Obfuscation and Payload Fragmentation

The skimmer collects values from the targeted fields, joins them into a pipe-delimited string, and applies a custom XOR routine using the key:

5d7845ac6ee7cfffafc5fe5f35cf666d

The resulting payload is Base64-encoded and split into three GA4 event parameters:

  • First segment: fields_p1
  • Second segment: fields_p2
  • Third segment: fields_p3

The GTM container includes three separate JavaScript macros that return substrings of the encoded payload.

Phase V: Exfiltration Through Google Analytics 4

The final exfiltration request is a POST to:

https://www.google-analytics.com/g/collect

The event is sent to:

tid=G-7DTFFTL7Y8

The event name is:

en=ga4_event

The stolen data is carried in:

ep.fields_p1
ep.fields_p2
ep.fields_p3

All six newly supplied cURL captures follow this pattern across observed compromised websites.

Final Takeaway

If your current approach to digital skimming/eSkimming defense relies primarily on CSP or other static controls, this campaign should be a wake-up call.

When attackers can:

  • Deliver malware through trusted services
  • Exfiltrate data through trusted endpoints
  • Dynamically evade detection

…the question is no longer whether your defenses are configured correctly. It is whether they are designed for the reality of modern attacks.

Talk to an expert about how you can prevent this exact type of cyber attack and prevent data leakage at the point of input.

Related Posts:

Why CSP Breaks in the Real World: Lessons from Enterprise Deployments
CSP & SRI: Great Ideas, Poor Fit for Today’s eSkimming
The Rise of Headless Commerce and the New eSkimming Attack Surface

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.

Download the Guide
Scroll
Source Defense
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.