- Sucuri finds credit card skimmer in Magento-powered ecommerce site
- The skimmer was hiding within Google Tag Manager
- At least six websites were compromised, experts warned
Cybercriminals were exploiting the Google Tag Manager (GTM) to hide malware in Magento-powered ecommerce sites and steal payment information from customers, experts have claimed.
Researchers at Sucuri claim to have recently observed one such attack in the wild, explaining that a customer reached out for help after experiencing credit card data theft from their Magento-based ecommerce website.
The analysts traced the attack back to a malicious script embedded within Google Tag Manager, which appeared to be a legitimate tracking tool but was actually designed to skim sensitive data. Google Tag Manager is a free tool from Google that allows website owners and marketers to easily manage and deploy tracking codes (tags) on their website without directly modifying the site’s code.
Abused in the wild
The attackers obfuscated the script, making it difficult to detect, and used it to capture payment details from the checkout page before sending them to a remote server.
Sucuri also found a backdoor that granted the attackers persistent access. At least six websites were found to be infected with the same GTM ID, and one of the domains used in the attack, eurowebmonitortool [dot] com, has now been blacklisted by most security companies.
Using the Google Tag Manager to deliver malware isn’t a novelty. The researchers said they covered the technique last year, adding that the new infection indicates the tactic “still being widely used” in the wild. Magento, due to its popularity among ecommerce site owners, is a huge target for cybercriminals. Payment information is also quite valuable for cybercriminals, since they can use it to purchase malicious goods, pay for malvertising campaigns, and more.
To remediate the attack, website admins should remove any suspicious GTM tags, perform a full website scan, make sure both Magento and other extensions are updated, and regularly monitor site traffic and GTM for any unusual activity, Sucuri suggests.
Leave a comment