Hackers Exploit Google Tag Manager to Steal Credit Card Information

In a concerning development, cybercriminals are leveraging Google Tag Manager (GTM) to inject malicious scripts into Magento-based eCommerce websites. This sophisticated attack enables the theft of customers' credit card details during the checkout process, posing significant risks to both businesses and consumers.

The Attack Vector: Google Tag Manager

Google Tag Manager is a widely used tool that allows website administrators to manage and deploy marketing tags without modifying the code directly. Unfortunately, hackers have identified a method to exploit GTM by injecting obfuscated scripts that remain undetected. Once embedded, these scripts capture sensitive payment information entered by customers.

Targeted Platform: Magento eCommerce

The primary victims of this attack are websites operating on the Magento platform. Researchers from Sucuri have discovered that the malicious code is often loaded from the cms_block.content database table. Additionally, attackers employ a hidden PHP backdoor located at ./media/index.php to maintain persistent access and continuously siphon user data.

Indicators of Compromise

Sucuri's investigation revealed that at least six websites were compromised using a specific GTM ID associated with the domain eurowebmonitortool[.]com, which has been blacklisted by multiple security vendors. This indicates an active and widespread campaign targeting vulnerable eCommerce sites.

Recommended Security Measures

To protect your website and customers from such intrusions, consider implementing the following steps:

Audit GTM Tags: Regularly review and remove any unauthorized or suspicious tags within your GTM configuration.
Comprehensive Website Scanning: Conduct thorough scans to detect and eliminate malware or backdoor files that may have been introduced.
Update Platforms and Extensions: Ensure that your Magento installation and all associated extensions are up-to-date with the latest security patches.
Monitor Traffic and Activity: Keep a vigilant eye on website traffic and GTM activity for anomalies that could signify a breach.

The exploitation of Google Tag Manager to deploy credit card skimmers underscores the evolving tactics of cybercriminals. By staying informed and proactively implementing robust security protocols, businesses can safeguard their digital assets and maintain customer trust.