From the article:
“In most contemporary cases, the threat actors themselves create the GTM containers and then inject the GTM loader script configuration needed to load them into the e-commerce domains (as opposed to injecting malicious code into existing GTM containers that were created by the e-commerce website administrators),” Recorded Future notes.
All of the 569 ecommerce platforms infected with skimmers were associated in one way or the other with GTM abuse. While 314 have been infected with a GTM-based skimmer, data from the remaining 255 has been exfiltrated to domains associated with GTM container abuse.
Read the full story on Security Week