Website security company Sucuri has warned of a new wave of attacks leveraging Google Tag Manager (GTM) to deliver a sophisticated credit card skimmer malware targeting Magento-based e-commerce websites.
The malware, which initially appeared to be part of typical GTM and Google Analytics scripts used for tracking website analytics and advertising, contains a hidden backdoor that enables attackers to gain persistent access to compromised sites.
As of now, three sites have been confirmed to have been infected with the malicious GTM identifier "GTM-MLHK2N68." GTM identifiers are used by webmasters to manage various tracking codes, such as Google Analytics or Facebook Pixel, that monitor website traffic and user behavior. However, this GTM identifier has been hijacked to conceal the dangerous payload within the tag.
The malware is reportedly loaded from the Magento database table “cms_block.content,” a common location for dynamic website content. The malicious GTM tag contains an encoded JavaScript payload, which, upon execution, acts as a credit card skimmer. The script operates silently during the checkout process, collecting sensitive payment data such as credit card numbers, expiration dates, and security codes.
“The malware is designed to pilfer credit card information from unsuspecting customers as they enter payment details during the checkout process. This stolen data is then sent to an external server controlled by the attackers,” the researchers said.
“This GTM-based attack demonstrates the sophistication of modern malware, utilizing legitimate platforms like Google Tag Manager to deploy malicious code. The obfuscation and encoding techniques make it particularly challenging to detect, requiring deep investigation to uncover its true purpose.”
Experts are urging e-commerce site administrators to regularly audit their GTM containers and closely monitor database tables like “cms_block.content” for unusual changes. Affected Magento websites are also advised to implement additional monitoring measures, such as validating all external scripts and leveraging specialized tools to detect malicious activity.
