• Blog
  • uncategorized
  • How Magecart’s ATMZOW Skimmer Is Still Hiding Inside Google Tag Manager

How Magecart’s ATMZOW Skimmer Is Still Hiding Inside Google Tag Manager

Onn Nir

Onn Nir

Demand Generation & Content Manager

  • May 25, 2026
  • 6 min read
  • May 25, 2026
  • 6 min read
Share article
twitter linkedin medium facebook

There’s an old principle that you should judge people by their actions, not their appearance, and modern web-skimming attacks are a near-perfect technical illustration of why. A malicious script delivered through a trusted channel, signed by a trusted certificate, and served from a trusted domain means all the credentials check out. It’s only when you watch what the script actually does that you see what’s beneath the disguise. That gap, between what something looks like and what it does, is where the entire Magecart industry now lives.

Magecart’s ATMZOW skimmer has been active since 2015, and the latest campaign works by sneaking it into checkout pages via Google Tag Manager (GTM) containers. It still succeeds today because browsers and many security tools implicitly trust googletagmanager.com, but also because it has evolved considerably since its first appearance.

How the Threat Has Evolved

From 2015 to 2026, the group has focused on stealth rather than reinvention. The original code used relatively crude obfuscation. Earlier variants leaned on Base64 encoding plus some anti-debugging tricks. The current GTM-TVKQ79ZS variant uses a custom decoder tied to the exact character length of the script, and if you change a single byte of whitespace, the decoder fails. This neuters most automated analysis tools that normalize formatting during parsing.

The infrastructure has matured too. Where earlier ATMZOW campaigns exfiltrated to a single hardcoded domain (vamberlo[.]com in the 2020 case), the current operation rotates across 40 newly registered domains, picks two at random per visit, caches the selection in localStorage so the same pair greets the same victim on return, and hides the actual hosting behind Cloudflare. When Google removes a malicious GTM container, attackers spin up replacements within hours.

The wider Magecart ecosystem has evolved in parallel. Recent campaigns have hijacked 404 error pages to host payloads, disguised loaders as Meta Pixel snippets, and chained WebSocket-based skimmers alongside GTM-delivered ones for redundancy. The economics have shifted too: Magecart-as-a-Service kits like “Sniffer by Fleras”, sold for around $1,500 on dark-web forums, were used to compromise 488 sites between March and July 2024, dramatically lowering the technical bar for would-be attackers.

The Obfuscation Arms Race

ATMZOW’s custom decoder, tied to exact script length, breaks static scanners. But obfuscation is only one layer of the challenge. Underground tools like WormGPT and FraudGPT, alongside jailbroken commercial models, are increasingly being used across the broader threat landscape to generate polymorphic JavaScript variants, where every deployment is syntactically unique even though it’s functionally identical. Trying to detect that with signatures is like trying to recognize a criminal by their outfit when they change clothes between crimes.

For defenders, the practical implication is straightforward: assume every skimmer instance you encounter is one-of-a-kind. That makes runtime behavioral detection the only durable strategy.

Why Traditional Defenses Miss This

Traditional perimeter defenses miss attacks that execute legitimately inside the trusted browser session. The page loads correctly, the certificate chain is valid, the WAF sees nothing unusual, and yet card data is being exfiltrated from inside the browser before the form is even submitted.

This is the fundamental problem with the GTM attack vector. The whole attack hinges on the fact that googletagmanager.com is trusted. It’s like a uniformed delivery driver waved through building security: the uniform is real, the van is real, the badge scans correctly. Nobody checks what’s in the boxes because the credentials are valid. Allow-listing googletagmanager.com in a CSP or trusting it in a WAF gets you nowhere for exactly the same reason.

Where Reflectiz Fits the Threat Model

The trust problem with GTM

Rather than relying on allow-lists and domain reputation, Reflectiz uses runtime behavioral analysis. It observes which scripts access sensitive DOM elements such as payment and login fields, tracks where captured data is transmitted, and flags unauthorized network calls, regardless of whether the malicious code is obfuscated or not. A GTM-delivered script that suddenly starts reading the card-number input or POSTing to cdn.colorpalettemetrics[.]com is flagged on behavior, irrespective of the trusted parent domain.

The obfuscation problem

Behavioral monitoring sidesteps the deobfuscation problem entirely. Reflectiz doesn’t need to deobfuscate anything (although it can, read more about our JavaScript deobfuscator) because it watches what the script does at runtime: hooks into form fields, listens for input events, opens outbound connections to never-before-seen domains. The malicious behavior is observable even when the code is unreadable.

The “only on checkout” trigger

The skimmer stays dormant until it detects a checkout or one-page payment URL, a sleeper agent that remains perfectly behaved until the trigger condition fires. Reflectiz’s continuous monitoring uses its own proprietary remote browser to crawl and exercise the payment funnel, not just the homepage. Dormant skimmers wake up and reveal themselves during scanning, instead of waiting for a real customer to trigger the trap.

The rotating-domain problem

40 payload domains rotating two at a time, with selections cached in localStorage, defeats static blocklists. Reflectiz’s approach, tracking who your external vendors are, what they are doing, and where they send the data they collect, flags any new exfiltration destination. It doesn’t matter whether the script picks sketchinsightswatch today and colorpalettemetrics tomorrow. Both are unknown destinations receiving form-field data, and both fire alerts.

Fourth-party visibility

GTM is a tag loader: it pulls in further scripts that pull in further scripts. Most tools see only the top-level vendors. Reflectiz continuously inventories and monitors these third- and fourth-party scripts across the full dependency chain, so an unauthorized container ID appearing, or a known container suddenly loading from a new CDN, surfaces as a change event rather than getting buried inside a trusted domain. For a deeper look at how this works in practice, see our GTM security case study.

The reinfection cycle

When Google removes one container, attackers spin up another within hours. Static remediation can’t keep up. Continuous monitoring means each new container shows up as a new inventory item with new behaviors. Reflectiz alerts on the change rather than waiting for the new indicator of compromise to make it into public threat feeds, which is critical when the IoC lifecycle is measured in hours rather than weeks.

PCI DSS 4.0.1 Alignment

There’s a regulatory tailwind here too. PCI DSS 4.0.1, mandatory since 31 March 2025, introduces explicit client-side security requirements: merchants must inventory all scripts running on payment pages, justify each one, ensure they are not tampered with, monitor for unauthorized access to cardholder data input fields, and detect and respond to attacks against those fields. Requirements 6.4.3 and 11.6.1 map directly to what Reflectiz produces, and the same control that defends against ATMZOW also generates the compliance evidence.

Where Reflectiz Alone Isn’t Enough

Reflectiz is a detection-and-alert layer, not a blocking proxy in the request path, and that distinction matters. Pairing it with a strict, hashed content security policy for payment pages, sub-resource integrity where feasible, and a vetted, locked-down Google Tag Manager workspace (least-privilege publishing rights, MFA on the GTM account itself, container-change approvals) closes the loop. Reflectiz catches what slips past those preventive controls, and the preventive controls reduce how often Reflectiz has to catch them.

Client-side security is not about replacing existing controls. It’s about closing a gap that attackers are already exploiting, and have been exploiting, in ATMZOW’s case, for over a decade.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Related Articles

CISO’s Expert Guide to AI Typosquatting
  • May 7, 2026
  • 1 min read

CISO’s Expert Guide to AI Typosquatting

Beyond PCI DSS Compliance: Who Owns Payment Risk in 2026
  • May 4, 2026
  • 1 min read

Beyond PCI DSS Compliance: Who Owns Payment Risk in 2026

TPRM in the AI Era: Gartner Top Tech Trends Revealed
  • May 4, 2026
  • 8 min read

TPRM in the AI Era: Gartner Top Tech Trends Revealed

Reflectiz Policies: Your Security Standards, Automatically Enforced
  • April 30, 2026
  • 7 min read

Reflectiz Policies: Your Security Standards, Automatically Enforced

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free
linkedin twitter facebook

All rights reserved 2025 © Reflectiz

Book a Demo

Book a Demo