In a sophisticated maneuver, cyber malefactors have been detected weaponizing Google Tag Manager (GTM) as a conduit for injecting credit card skimming malware into Magento-powered e-commerce ecosystems.
Cybersecurity specialists at Sucuri have uncovered that the deployed script, masquerading as a conventional GTM or Google Analytics tracker, harbors a concealed backdoor. This insidious loophole grants threat actors a persistent foothold within the compromised infrastructure, enabling sustained exploitation.
As per current findings, at least three separate online storefronts have been found harboring the malicious GTM identifier (GTM-MLHK2N68)—a reduction from the six initially reported. Within the GTM ecosystem, an identifier signifies a container that accommodates various tracking mechanisms, including Google Analytics and Facebook Pixel, orchestrating their activation under predetermined conditions.
Deeper scrutiny has unveiled that the malicious payload is sourced from the “cms_block.content” database table within Magento. The GTM tag in question embeds an encoded JavaScript snippet, meticulously engineered to operate as a credit card skimming module.
This script is purpose-built to siphon off confidential payment credentials entered by customers during checkout and exfiltrate them to a clandestine, attacker-controlled server,” cautioned security analyst Puja Srivastava.
Upon execution, the rogue script harvests credit card particulars from payment interfaces and transmits them to an external command-and-control node, completing the fraudulent operation.
This is not the inaugural instance of GTM being co-opted for nefarious activities. Back in April 2018, Sucuri disclosed its abuse in malvertising schemes, underscoring the recurrent exploitation of Google’s tracking infrastructure.
This revelation also follows closely on the heels of another malware-laden campaign, wherein cyber adversaries allegedly capitalized on vulnerabilities within WordPress plugins or hijacked administrative accounts to infiltrate websites. The ultimate goal? Diverting unsuspecting visitors toward malicious URLs, reinforcing the ever-present need for vigilant cybersecurity postures within digital commerce ecosystems.
