Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Matt Johansen Profile picture
@mattjay
Feb 11, 2025 8 tweets 2 min read Read on X
Scrolly
Hackers are using Google Tag Manager (GTM) to inject credit card skimmers into E-commerce sites.

At least 6 compromised sites identified so far. Here's what we're seeing. 👇
Malicious GTM script reference (GTM-MLHK2N68) stored in Magento's cms_block.content table.

Attackers using GTM as delivery mechanism to bypass security controls. Image
Obfuscated JS skimmer activates on checkout pages, exfiltrating card data to C2 domain eurowebmonitortool[.]com.

Additional persistence achieved via PHP backdoor in media/index.php allowing remote code execution through base64-encoded commands.

Gives attackers ongoing access post-cleanup.Image
This campaign bears striking similarity to 2021 GTM-based Magecart operation that hit 316 sites and compromised 88,000 cards.

Same core TTPs being recycled. Image
Why GTM works so well for attackers:
- Auto-executes JS
- Trusted Google infrastructure
- Security tools typically allow list
- Dynamic updates without site access Image
This is familiar territory for me, remembering my 2013 Million Browser Botnet talk @ Blackhat where me and @jeremiahg demonstrated JavaScript injection via ad networks.

Same concept, different delivery mechanism. Image
@jeremiahg IOCs to watch for:
- Suspicious GTM container IDs
- Unexpected scripts in cms_block.content
- PHP files in media directory
- Unusual outbound connections during checkout flows
@jeremiahg Check my full writeup here ->

Subscribe and follow for more like this every week! <3vulnu.com/p/hackers-use-…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matt Johansen

Matt Johansen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattjay

Matt Johansen Profile picture
Nov 20, 2025
FCC just voted 2-1 to eliminate cybersecurity requirements for telecom carriers, reversing rules adopted at the end of Biden admin.

The telecom industry successfully lobbied against the rules, claiming they were too burdensome and that voluntary cooperation works better Image
The decision undoes a declaratory ruling that stated the 1994 Communications Assistance for Law Enforcement Act (CALEA) requires telecoms to secure networks from unlawful access and interception.

Also eliminates proposed minimum security standards. Image
This comes months after Salt Typhoon, where Chinese APT penetrated multiple major US telecoms and accessed sensitive comms data. Image
Read 7 tweets
Matt Johansen Profile picture
Oct 23, 2025
Woah. Trenchant, who develops zero-days and surveillance tools for Five Eyes intelligence agencies (US, UK, Canada, Australia, and New Zealand). Has had an insider accused of selling secrets to Russia. Image
Image
Former L3Harris/Trenchant GM Peter Williams charged with stealing trade secrets. DOJ claims he made $1.3M from the sale. Image
Timeline: Williams allegedly stole 7 trade secrets between Apr '22-Jun '25, and an 8th between Jun-Aug '25. He was Trenchant's GM from Oct '24 until Aug '25, operating out of DC. Image
Read 9 tweets
Matt Johansen Profile picture
Sep 29, 2025
This BBC reporter was offered 25% of a ransom payout if he gave hackers access to the corporate network.

He played along, so we got a look inside their tactics here: Image
Initial contact came to @JoeTidy via Signal from "Syndicate" offering 15% of potential ransom payment for access to BBC systems.

Offer later increased to 25% of what they claimed would be "1% of BBC's total revenue." Image
@joetidy Threat actor claimed to be a "reach out manager" for Medusa - a Ransomware-as-a-Service operation believed to operate from Russia/CIS region.

Group has hit 300+ victims in past 4 years per US cyber authorities.

(img: TheHackerNews) Image
Read 10 tweets
Matt Johansen Profile picture
Jun 17, 2025
Breaking: House Oversight's top Dem Rep. Lynch requests Microsoft provide info on DOGE staffer's GitHub repo.

It allegedly contains code to extract data from the NLRB's case management system. Image
Key context: This follows whistleblower Daniel Berulis's disclosure about ~10GB of data exfiltrated from NLRB's NxGen system.

DOGE engineer Jordan Wick's repo "NxGenBdoorExtract" was made private before investigation. Image
The alleged extraction code was hosted on Microsoft-owned GitHub.

Rep. Lynch specifically wants details about attempts to "conceal activities, obstruct oversight, and shield from accountability." Image
Read 8 tweets
Matt Johansen Profile picture
Jun 9, 2025
U.S. labs keep finding *undocumented* cellular radios hidden inside some Chinese-made solar inverters & battery packs

Those radios give the gear a second, undocumented path to the internet. Global governments are reacting already: 🧵 Image
Inverters already need remote access for firmware updates, so utilities put them behind firewalls.

A covert LTE module can hop right over that barrier, reach a cloud service in China, and issue commands the operator never sees.
Security teams have confirmed multiple makes and models with these extra radios in the last nine months.

The labs aren’t saying how many units they’ve torn down. Only that the problem spans *several* suppliers. Image
Read 15 tweets
Matt Johansen Profile picture
May 5, 2025
TeleMessage, the company behind the modified Signal client used by Trump admin officials, has been breached.

Attacker claims the hack took "15-20 minutes" with minimal effort. Image
TeleMessage creates modified versions of Signal/WhatsApp/Telegram that archive messages for gov agencies.

Recently made headlines when National Security Advisor Waltz was photographed using it. Image
A hacker accessed unencrypted message contents, contact info of gov officials, admin credentials, and customer data.

Notably includes CBP, Coinbase, and other financial institutions. Image
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(