How I got millions of credit card details using agencies’ Google Tag Manager (GTM) accounts
If you’ve been around this blog before you might know that I know a thing or two about Google Tag Manager (GTM), the convenient tool that lets you run marketing and analytics scripts on your website. What you might not know is that I’m also a father of two young children, and I can tell you, kids are expensive! So, obviously, on sleepless nights, one starts to ponder all the ways to make a quick buck on the side: “How to use one’s knowledge of the interwebs to create a nice college fund for the kids?”
As a digital native who started his life downloading mp3’s from Napster —allegedly—, the law is not something I associate with the internet. The internet is a place where there is still true freedom: the freedom to make millions at the expense of the common man —again, allegedly. With my engineering mindset, I also consider it my duty to not just make a quick buck. No, it is an engineer’s duty to optimise. So the question becomes: how do we leverage GTM to make as much money as humanly possible at the expense of dumb suckers?
The concept is actually quite easy: GTM is used to inject marketing scripts like trackers from Google and Facebook which are especially useful on pages where people “convert”, i.e. they buy something. Instead of those trackers, why not add our own tracker that sends data back to a server we control and track just a teeny weeny bit more than Facebook and Google. For example keystrokes are very handy to track, especially on fields that have labels like “credit card number”. Although, to be fair, you can also get a decent deal on the black market for a couple of million ‘fullz’ —that is full details like home address, email address, passwords, etc.— even without the credit card. I did consider injecting the Coinhive javascript cryptominer, but you know, I have a bit of a boomer-mentality on crypto so I’ll stick with what I know: credit cards.
Accessing multiple GTM containers with one account
But how do you add your tracker to a website via someone else’s Google Tag Manager account? Isn’t that secured? Well yes, but the question is: how secure? My first line of thought was to use a supply chain attack to actually compromise the build process of GTM itself so it would get injected to all ~10 million GTM implementations that are currently live. It’s definitely doable, for example, npm packages from which javascript code is compiled can be gamed and a similar strategy (code injection in the build process) was used for the SolarWinds attack. But you know, these guys and gals at Google are smart, way smarter than I am. So let’s try a different route.
You see this is where things become interesting, because having worked for an agency or two I know how they like to set things up, and let me tell you, are we in luck! Because not only are they terrible with passwords and access controls, because so often email addresses are shared, they’ll never be able to figure out where the leak actually came from.
Here’s what the set up usually looks like: an agency will have a shared email address that looks something like: [email protected], [email protected], [email protected] or even [email protected]. That email address is then used for hundreds of clients, so it is perfect for us to really leverage our enterprise. With one email address we can automatically add and publish our ’tracker’ to tens if not hundreds of websites. And that’s just one agency, since the email address format is so common, we can just compile a list of potential email addresses to use from a list of agencies.
Sure, some of the agencies will not have publishing rights in the GTM containers, but most of them will advise clients, especially smaller e-commerce clients —which, let me remind you, is exactly the ones we like—, to give them full publishing rights, because it is so convenient.
Getting in: how to access an account without having access
Now obviously, getting access to someone’s email address is not a trivial task. Sure, you can buy a few databases of email/password combinations and maybe you’ll get lucky. And we can also try a bit of brute forcing using keyword lists with [agency name], [2019] (someone usually thinks: oh I should add a number, but then the password isn’t updated for years) and of course the infamous ! because, of course, you should add in a ‘special’ character. But “Ah”, these smart agency folks say, “easy passowrd, no problem, because we’ve turned on two factor authentication (2FA)!”. Oh, such smart-assess, our plans are thwarted, or are they?
My first thought was to get physical access to an agency’s device. Since most of these agencies pride themselves on being open, accessible companies, you’ll find that you can just walk in around lunch time, blend in with your Nike’s and Patagonia t-shirt, and grab a few laptops here and there. Alternatively you can spoof the agency WiFi network with a stronger WiFi signal and perform a man-in-the-middle attack, but you know, I’m not an expert on cryptography and during a global pandemic you have to do your civic duty and minimise contact with other people. Also, the chance of getting caught on camera made me think this might not be the scalable solution I was looking for.
So, on second thought I decided to just find a way to capture 2FA codes from agency employees (the passwords are laughably easy, but the 2FA is harder). We could try some phishing with a fake Google page, but unfortunately googIe.com is already taken (yeah, that’s not a lowercase L, but an uppercase i , but of course you already saw that…), but maybe tagmanagergoogle.com or analyticsgoogle.com is still available to fool people who don’t see there’s a missing . It’s not unlikely, I mean, even US soldiers leave nuclear weapons secrets in the wrong places these days. Still, all of this seems finicky and unscalable as we’ll need a lot of personal email addresses and carefully crafted phishing emails that could all leave a trace.
So what if there’s a better way into your browser? Are you reading this on Google Chrome (or Edge, or Brave)? How many extensions do you have installed? Do you know all the developers behind those extensions? Now think about sharing your Chrome browser (Google account) with others, do you know what kind of extensions they have installed? Do you care? Most of these shared email addresses will have a gazillion extensions for screenshots, colour pickers, SEO, Google Analytics debugging, Tag Manager scanners, combining browser tabs, you name it.
The funny thing about browser extensions is that a) they’re very hard to monetise —how many are you paying for?— and b) Google doesn’t give a damn about them. So, it is relatively easy to just buy a developer out and take over an existing extension that is popular with the target group and add a little snippety snoopy piece of code that will only send over 2FA details —you don’t want to be too obvious and capture credit card details, but if it’s just the 2FA codes it’s harder to spot.
However, being a fanboy of the Krebs on Security blog, I found out that even that might be too complicated. Why not just get a bot to do all this for you? Nonetheless, I think it is clear that with a little investment it’s not too hard to get into an account that no one really cares about because it’s shared.
Getting out: publishing a GTM container with malicious code without getting caught
So yeah, there we are, looking at a bunch of Google Tag Manager containers that we’re not supposed to look at. Of course, we’re not going to add in things by hand —are you crazy?— but we’ll use the GTM API to automate everything. What is greatly to our advantage is that GTM bypasses all kinds of tests and security measures that are usually in place for the deployment of websites. There’s no devops team that gets an alert about a new deployment or that runs automated tests and checks. GTM only recently added a feature to get notified of new versions by email, and that’s on an opt-in bases, so no one actually uses it. And judging by the numbers in my own Google Analytics account, very few people are using my solution to get automated Slack notifications for new GTM container publications.
So the publishing shouldn’t be a problem, but we still need to sufficiently hide our script. Our best approach here is to let our automated script search for all custom HTML tags in a container —as these are already very complicated looking for the uninitiated—, find the one with the most characters, add a ton of whitespace (to hide it under the fold) and then cloak our data exfiltration script as a kind of helper function, maybe call it something like dataLayerFormTracking().
Now, one thing to be aware of is that GTM actually does check for a few known malicious scripts, so don’t just copy-paste your Magecarts. Luckily, if you actually clicked the link to David Gilbertson’s post on infiltrating npm packages, you’ll know that we can obscure the script, obscure the payload, block it automatically when you open DevTools and only send out data one in seven times to reduce our chances of being caught.
Now, the smarty pants in the room will say “ha, you crook, my site has a Content Security Policy (CSP), so there’s no way to get your data out”. To which I say, if you have GTM running with a CSP, it is unlikely you’ve implemented your CSP correctly. And even if you have, are you also using Google Analytics? Well, great, thanks! I’ll just send over those obfuscated credit card details to my own Google Analytics account instead. Alternatively, I’ll just use the Google CSP Evaluator to check if you’re allowing YouTube, Google’s Angular, jQuery from a CDN, or one of the many other sites that allow you to redirect or forward data to a third party endpoint.
Conclusion
By now, you’re hopefully starting to see that, unless you’re 100% sure that your customers are more than happy to fill the coffers of my college fund —as they surely, maybe, potentially have over the last year—, you might want to check your GTM implementation and overall website security.
</sarcasm>
Of course, I’m not actually, maliciously injecting millions of GTM containers with code, but I do hope you see that malevolent actors have gone to much greater lengths than what I described above to achieve similar things. Though my story is fictional, the concepts in this post are far from that. Start locking down your GTM container today by turning on email notifications, scrutinising access policies, and integrating it with your website and content security policies. Though agencies play a big part in this story, it is your responsibility to ask questions about security regarding your website, just like you would ask questions about, for example, giving access to a physical store or office.
