Google Tag Manager Exploit
Recent reports have revealed a disturbing trend where cybercriminals are exploiting the Google Tag Manager (GTM) to deploy credit card skimmer malware on Magento-based e-commerce websites. GTM, which is typically used for website analytics and advertising, has been manipulated to provide persistent access for attackers. The malware, hidden within a seemingly normal GTM and Google Analytics script, is designed to steal sensitive user data.
Table of Contents
Unmasking the Corrupted Code
Upon investigation, security experts discovered that the compromised GTM tag contains an obfuscated backdoor. This backdoor allows attackers to maintain long-term access to infected websites. Initial findings showed six sites infected with the same GTM identifier (GTM-MLHK2N68), though this number has since dropped to three. The GTM identifier, essentially a container for various tracking codes and trigger rules, was found to include an encoded JavaScript payload acting as a credit card skimmer.
The Malware’s Sneaky Functionality
The malware is executed from the 'cms_block.content' table within the Magento database. Once activated, it targets the checkout pages of affected e-commerce sites, harvesting sensitive customer information such as credit card details. The stolen data is then sent to an external server controlled by the attackers, effectively bypassing traditional security measures.
A History of GTM Abuse
This isn't the first time the Google Tag Manager has been hijacked for malicious purposes. Back in April 2018, GTM was misused in a malvertising campaign that aimed to generate revenue through pop-ups and redirects. This recent abuse highlights the continuing risks associated with cybercriminals exploiting popular web management tools.
Legal Action and Consequences for Cybercriminals
In connection with the broader trend of payment card skimming, the U.S. Department of Justice (DoJ) has charged two Romanian nationals—Andrei Fagaras and Tamas Kolozsvari. They are facing multiple counts of access device fraud related to a widespread skimming operation in the Eastern District of Louisiana. If convicted, the suspects could face up to 15 years in prison, hefty fines, and significant supervised release terms.
This latest breach underscores the importance of securing e-commerce platforms and carefully monitoring the tools integrated into websites to prevent abuse.
