E-commerce Under Attack: Google Tag Manager Skimmers Deployed

A new wave of cyberattacks has been discovered where threat actors are abusing Google Tag Manager (GTM) to inject malicious credit card skimmer malware into Magento-based e-commerce websites. This attack method allows hackers to steal sensitive financial information from unsuspecting customers during the checkout process.

The Growing Threat of GTM-Based Skimming

Google Tag Manager is a widely used tool that allows website administrators to manage and deploy marketing tags, analytics scripts, and other tracking mechanisms without modifying the website’s core code. However, cybercriminals have found a way to exploit GTM’s flexibility, using it as a vehicle to distribute malware covertly.

According to a recent analysis, attackers have embedded a malicious GTM container (GTM-MLHK2N68) on Magento websites, disguising their code within legitimate Google Analytics and GTM scripts. While these scripts appear to be standard tracking tools, they actually include an obfuscated backdoor that grants persistent access to the compromised sites.

As of the latest update, at least three websites remain infected with this GTM identifier, a decrease from the six previously reported. The GTM identifier itself refers to a container that holds various tracking codes, such as those for Google Analytics and Facebook Pixel, which execute when specific conditions are met. Hackers are leveraging this mechanism to inject malicious payloads into vulnerable websites.

How the Attack Works

Further investigation into this campaign has revealed that the malicious script is embedded within the Magento database table “cms_block.content.” This particular GTM tag includes an encoded JavaScript payload, which functions as a credit card skimmer.

Cybersecurity experts detailed that this script is specifically designed to capture credit card details and other sensitive information entered by customers during the checkout process. Once executed, the malware siphons the collected data and transmits it to an attacker-controlled remote server.

The Role of JavaScript in the Attack

JavaScript plays a critical role in this attack, allowing the skimmer to operate in real time without alerting the victim. When an unsuspecting user inputs their payment details on a compromised website, the JavaScript code discreetly captures the entered data and forwards it to the hacker’s server.

One of the primary reasons attackers are using GTM for this purpose is that many security tools and website administrators trust Google’s services. Since GTM and Google Analytics are commonly used for legitimate analytics and marketing, the presence of these scripts on a site does not typically raise immediate red flags. This makes it difficult for security scanners to detect the injected malware.

Past Incidents of GTM Abuse

This is not the first time Google Tag Manager has been exploited by cybercriminals. In April 2018, security researchers discovered that GTM was being used for malvertising campaigns, where attackers injected malicious ads into legitimate websites to distribute malware.

More recently, another widespread attack on WordPress websites was uncovered. In that campaign, hackers exploited vulnerabilities in plugins or compromised administrator accounts to install malware that redirected visitors to phishing pages and other malicious destinations.

These recurring incidents highlight the growing trend of attackers abusing trusted web services to deploy malware, emphasizing the need for website owners to implement robust security measures.

Why Magento Websites Are a Prime Target

Magento, an open-source e-commerce platform, has long been a favorite target for cybercriminals due to its widespread use and complex security landscape. Attackers frequently exploit outdated versions, unpatched vulnerabilities, or weak administrative credentials to infiltrate Magento sites.

E-commerce websites are particularly attractive to hackers because they store and process large volumes of payment data. By injecting a skimmer into an online store’s checkout page, attackers can harvest valuable credit card details and other personal information without directly breaching a payment processor’s security infrastructure.

Mitigation and Prevention Strategies

Website administrators and e-commerce businesses must take proactive steps to defend against this growing threat. Here are some essential security measures to mitigate the risks associated with GTM-based skimmers:

1. Monitor and Audit GTM Containers Regularly

Administrators should routinely review their GTM configurations to ensure no unauthorized scripts or tags have been added. Any unexpected modifications or new GTM identifiers should be investigated immediately.

2. Implement Content Security Policies (CSP)

A well-configured Content Security Policy can help prevent malicious scripts from executing by restricting which sources are allowed to load scripts on a website. This can significantly reduce the risk of unauthorized code injection.

3. Keep Magento and Other Software Updated

Regularly updating Magento, plugins, and third-party integrations is crucial to patching known vulnerabilities that attackers may exploit.

4. Use Server-Side Payment Processing

Businesses should consider shifting to server-side payment processing, which minimizes the risk of frontend skimming attacks. By handling payments directly through a trusted payment processor, sensitive customer data never touches the website’s frontend, reducing exposure to skimming attacks.

5. Deploy Web Application Firewalls (WAFs)

A WAF can help detect and block malicious scripts attempting to execute on an e-commerce site. Advanced security solutions can also provide real-time threat intelligence to counter emerging threats.

6. Scan for Malware and Backdoors

Regular malware scanning should be conducted to detect any signs of unauthorized access or malicious scripts. Security plugins and dedicated monitoring tools can help identify and remove threats before they cause significant damage.

7. Educate Administrators and Users

Website administrators should be trained to recognize potential security threats, including phishing attempts, suspicious script injections, and unauthorized GTM modifications.

The Future of Web Skimming Threats

The increasing sophistication of web skimming attacks signals a broader trend in cybercrime, where attackers leverage legitimate services to evade detection. As security measures evolve, so do the techniques employed by cybercriminals.

Organizations must remain vigilant and proactive in implementing security best practices to safeguard their customers’ sensitive data. As threat actors continue refining their methods, businesses must prioritize security investments to protect their digital storefronts from compromise.

Conclusion

The exploitation of Google Tag Manager to deploy credit card skimmers underscores the persistent ingenuity of cybercriminals. By leveraging a trusted platform, attackers have found a way to bypass traditional security defenses and steal valuable payment information from unsuspecting customers.

For Magento website owners and administrators, this latest discovery serves as a critical reminder of the importance of cybersecurity hygiene. Regular monitoring, software updates, and the implementation of advanced security measures can go a long way in preventing such attacks.

As cyber threats continue to evolve, businesses must stay one step ahead by investing in robust security solutions, educating their teams, and remaining vigilant against emerging threats in the digital landscape.