Attackers have found a new way to exploit Google Tag Manager by inserting malicious code into e-commerce websites created on the Magento platform. This code is capable of extracting payment card information, representing a fresh type of Magecart attack that takes advantage of Google’s legitimate website marketing tool.
According to researchers at Sucuri, there has been an ongoing Magecart campaign in which criminals implant code that masquerades as a standard Google Tag Manager (GTM) and Google Analytics tracking script from a database onto e-commerce websites. While these tracking scripts are typically used for analytics and advertising purposes, the code modified for this campaign has been adjusted to function as a credit card skimmer for the infected site, as disclosed in a recent blog post.
“In the GTM tag, an encoded JavaScript payload was detected acting as a credit card skimmer,” wrote Sucuri security analyst Puja Srivastava in the blog post. “This script was constructed to gather sensitive data inputted by users during the checkout process and transmit it to a remote server controlled by the attackers.”
Thus far, Sucuri has identified at least six sites impacted by this campaign, indicating that multiple sites are currently under threat, Srivastava reported.
The attack showcases an atypical Magecart assault that exploits a legitimate free tool from Google enabling website owners to manage and deploy marketing tags without the necessity to directly alter the site’s code. GTM streamlines the process for marketers looking to track or modify an ad or marketing campaign without involving developers each time.
Sucuri investigators were alerted to the Magecart activity by a client who noticed that credit card payment data was being stolen from their e-commerce site. Further examination revealed malware being loaded from a database table cms_block.content file for the website. The malware manipulated a GTM tag by inserting an encoded JavaScript payload acting as a credit card skimmer.
The attackers obscured the script using the function _0x5cdc technique, mapping index values to specific characters in the array to obscure the script’s intent, Srivastava outlined. The script also incorporates mathematical operations in a loop, complicating the code further, and utilizes Base64 encoding—an approach commonly utilized by hackers to disguise the script’s true intent.
Furthermore, the researchers came across an undeployed backdoor within one of the website’s files, potentially exploitable to further infect the site and grant attackers persistent access, Srivastava cautioned. This tactic aligns with Magecart attackers’ previous maneuvers of embedding backdoors on websites to automatically deploy malware.
Sucuri has previously looked into malicious activity leveraging GTM to conceal other forms of malicious behavior, encompassing malvertising in addition to malicious pop-ups and redirects.
“Magecart” denotes a loose alliance of cybercriminal groups engaged in online payment card-skimming attacks. These attacks typically insert card skimmers into websites to seize payment card data for later monetization. Notable organizations targeted by such attacks include Ticketmaster, British Airways, and the Green Bay Packers NFL team.
Once the source of infection was pinpointed on their client’s site, Sucuri researchers eradicated the malicious code from any other compromised areas of the website, while also clearing out the obfuscated script and backdoor to forestall malware reinfestation.
To ascertain whether an organization’s e-commerce site has been affected by the campaign, administrators are advised to log into GTM, identify, and eliminate any suspicious tags in use on the site, Sucuri recommended. Moreover, they should conduct a comprehensive website scan to pinpoint any additional malware or backdoors, subsequently removing any malicious scripts or backdoor files.
E-commerce sites running on Magento and their extensions should be updated with the latest security patches, with all site administrators encouraged to regularly monitor e-commerce site traffic and GTM activity for any anomalies.