SecurityWeek.com published a piece on hackers abusing Google Tag Manager by injecting HTML or JavaScript code into websites using GTM. These were all ecommerce websites
From the article:
A legitimate Google service typically used for marketing and usage tracking, GTM relies on containers for embedding JavaScript and other types of resources into websites, and cybercriminals are abusing GTM containers to have HTML or JavaScript code injected into the websites that use Google’s service.
“In most contemporary cases, the threat actors themselves create the GTM containers and then inject the GTM loader script configuration needed to load them into the e-commerce domains (as opposed to injecting malicious code into existing GTM containers that were created by the e-commerce website administrators),” Recorded Future notes.
All of the 569 ecommerce platforms infected with skimmers were associated in one way or the other with GTM abuse. While 314 have been infected with a GTM-based skimmer, data from the remaining 255 has been exfiltrated to domains associated with GTM container abuse.
Read the full story on Security Week