Recent investigations have uncovered that cybercriminals are exploiting Google Tag Manager (GTM) to inject credit card skimmer malware into Magento-based e-commerce platforms. This alarming trend highlights the increasing sophistication of attacks targeting online payment systems.

Understanding the Threat

Security experts have identified that malicious actors are disguising harmful code as legitimate GTM and Google Analytics scripts. These scripts, typically used for tracking website analytics and advertising, now serve as a backdoor for attackers, granting them ongoing access to compromised sites.

Technical Details

As of the latest reports, three websites have been confirmed to be infected with the GTM identifier GTM-MLHK2N68, a decrease from the six initially reported. The GTM identifier functions as a container for various tracking codes, such as Google Analytics and Facebook Pixel, which are activated under specific conditions.

  • Malware Source: The malicious code is being loaded from the Magento database table "cms_block.content."
  • Encoded Payload: The GTM tag contains an encoded JavaScript payload functioning as a credit card skimmer.

Impact on E-commerce Security

The malware is engineered to capture sensitive information entered by users during the checkout process. This data is then transmitted to a remote server controlled by the attackers, compromising the security of online transactions.

Historical Context

This is not the first instance of GTM being misused for illicit activities. In April 2018, GTM was similarly exploited for malvertising campaigns, underscoring the tool's potential for abuse.

The link has been copied!