Hackers have been caught using Google Tag Manager to deploy credit card skimmer malware on Magento-based e-commerce websites. Website security company Sucuri reported that the attackers are injecting malicious code into GTM scripts on compromised sites. While these scripts look like normal GTM and Google Analytics codes used for website analytics, they contain a hidden backdoor.
This allows the hackers to maintain persistent access to the infected sites. The specific GTM identifier (GTM-MLHK2N68) has been linked to at least six infected websites so far. This identifier includes various tracking codes like Google Analytics and Facebook Pixel, which are triggered under certain conditions.
Further investigation revealed that the malware is being loaded from the Magento database table “cms_block.content.” The malicious GTM tag contains an encoded JavaScript payload that acts as a credit card skimmer.
Hackers misuse GTM for skimming
“This script was designed to collect sensitive data entered by users during the checkout process and send it to a remote server controlled by the attackers,” stated security researcher Puja Srivastava.
When executed, the malware steals credit card information from the checkout pages and sends it to an external server. This is not the first time GTM has been abused for malicious purposes. In April 2018, Sucuri reported that GTM was being used for a malvertising campaign aimed at generating revenue for the attackers through pop-ups and redirects.
To mitigate this threat, Sucuri advises website administrators to remove any suspicious GTM tags, perform a full website scan, remove malicious scripts and backdoor files, update Magento and its extensions, and monitor site traffic for unusual activity. This discovery highlights the importance of strong security practices and constant monitoring when managing e-commerce sites. As cybercriminals continue to find new ways to exploit trusted platforms, online retailers must remain vigilant to protect their customers’ sensitive data.
